技术领域Technical field
本申请实施例涉及机密计算技术领域,具体涉及一种虚拟机度量、机密计算认证方法、设备、系统及存储介质。The embodiments of this application relate to the technical field of confidential computing, and specifically relate to a virtual machine measurement, confidential computing authentication method, device, system and storage medium.
背景技术Background technique
机密计算是一种在受信任的硬件基础上,结合固件和软件构建密态、隔离、可认证的机密计算环境,保证机密计算环境内数据机密性、完整性、代码完整性以及运算过程机密性的计算模式。机密计算在金融数据融合、区块链智能合约、基因分析、云服务等场景下具有广泛应用。为保障机密计算的安全性,需要对机密计算环境的合法性进行认证,认证机密计算环境的合法性称为机密计算环境认证(简称机密计算认证)。Confidential computing is a kind of confidential computing environment that is built on trusted hardware and combined with firmware and software to ensure data confidentiality, integrity, code integrity and computing process confidentiality in the confidential computing environment. calculation mode. Confidential computing is widely used in scenarios such as financial data fusion, blockchain smart contracts, genetic analysis, and cloud services. In order to ensure the security of confidential computing, the legality of the confidential computing environment needs to be certified. Certifying the legality of the confidential computing environment is called confidential computing environment certification (referred to as confidential computing certification).
机密计算认证可以通过认证机密计算环境的身份信息实现,在以虚拟机构建机密计算环境的情况下,机密计算环境的身份信息可以通过虚拟机度量实现;虚拟机度量是指对虚拟机的信息进行度量,以得到度量结果。因此,如何提供虚拟机度量方案,以提升虚拟机度量的结果全面性,从而为提升机密计算认证的全面性提供基础,成为了本领域技术人员亟需解决的技术问题。Confidential computing authentication can be achieved by authenticating the identity information of the confidential computing environment. When the confidential computing environment is built with a virtual machine, the identity information of the confidential computing environment can be achieved through virtual machine measurement; virtual machine measurement refers to the information of the virtual machine. Measure to get measurement results. Therefore, how to provide a virtual machine measurement solution to improve the comprehensiveness of virtual machine measurement results, thereby providing a basis for improving the comprehensiveness of confidential computing certification, has become an urgent technical problem that technicians in the field need to solve.
发明内容Contents of the invention
有鉴于此,本申请实施例提供一种虚拟机度量、机密计算认证方法、设备、系统及存储介质,以提升虚拟机度量的结果全面性,从而为提升机密计算认证的全面性提供基础。In view of this, embodiments of the present application provide a virtual machine measurement, confidential computing authentication method, device, system and storage medium to improve the comprehensiveness of virtual machine measurement results, thereby providing a basis for improving the comprehensiveness of confidential computing authentication.
为实现上述目的,本申请实施例提供如下技术方案。To achieve the above objectives, embodiments of the present application provide the following technical solutions.
第一方面,本申请实施例提供一种虚拟机度量方法,应用于安全处理器,所述安全处理器设置于机密计算服务端设备,所述方法包括:In a first aspect, embodiments of the present application provide a virtual machine measurement method, applied to a security processor, where the security processor is provided on a confidential computing server device. The method includes:
在创建安全虚拟机的过程中,对安全虚拟机进行度量,确定安全虚拟机启动时的启动度量结果;其中,安全虚拟机部署于机密计算服务端设备,安全处理器通过创建安全虚拟机,以完成安全虚拟机的启动;In the process of creating a secure virtual machine, the secure virtual machine is measured to determine the startup measurement results when the secure virtual machine is started; where the secure virtual machine is deployed on the confidential computing server device, and the security processor creates the secure virtual machine to Complete the startup of the secure virtual machine;
在安全虚拟机的运行过程中,对安全虚拟机用于运行应用程序的程序运行相关信息进行度量,确定安全虚拟机运行时的程序运行度量结果;During the operation of the secure virtual machine, measure information related to program execution used by the secure virtual machine to run applications, and determine the program execution measurement results when the secure virtual machine is running;
其中,所述启动度量结果和所述程序运行度量结果用于机密计算环境认证,机密计算环境以安全虚拟机为单位构建。Wherein, the startup measurement results and the program running measurement results are used for confidential computing environment authentication, and the confidential computing environment is built in units of secure virtual machines.
第二方面,本申请实施例提供一种机密计算认证方法,应用于机密计算服务端设备,所述方法包括:In the second aspect, embodiments of the present application provide a confidential computing authentication method, which is applied to confidential computing server devices. The method includes:
获取远程证明发起端设备发送的报告请求;Obtain the report request sent by the remote certification initiating device;
响应于所述报告请求,生成证明报告,并将安全虚拟机启动时的启动度量结果和安全虚拟机运行时的程序运行度量结果,更新到证明报告所携带的机密计算环境的身份信息中;其中,安全虚拟机部署于机密计算服务端设备,机密计算环境以安全虚拟机为单位构建;In response to the report request, generate a certification report, and update the startup measurement results when the secure virtual machine is started and the program running measurement results when the security virtual machine is running into the identity information of the confidential computing environment carried in the certification report; wherein , the secure virtual machine is deployed on the confidential computing server device, and the confidential computing environment is built in units of secure virtual machines;
将所述证明报告发送给远程证明发起端设备,以用于认证机密计算环境的合法性。The attestation report is sent to the remote attestation initiating end device for verifying the legitimacy of the confidential computing environment.
第三方面,本申请实施例提供一种机密计算认证方法,应用于远程证明服务端设备,所述方法包括:In the third aspect, embodiments of the present application provide a confidential computing authentication method, which is applied to remote certification server devices. The method includes:
获取远程证明发起端设备发送的证明报告,所述证明报告携带有机密计算环境的身份信息,所述机密计算环境的身份信息携带有安全虚拟机启动时的启动度量结果和安全虚拟机运行时的程序运行度量结果;其中,安全虚拟机部署于机密计算服务端设备,机密计算环境以安全虚拟机为单位构建;Obtain a certification report sent by the remote certification initiating device. The certification report carries the identity information of the confidential computing environment. The identity information of the confidential computing environment carries the startup measurement results when the secure virtual machine is started and the startup measurement results when the secure virtual machine is running. Program running measurement results; among them, the secure virtual machine is deployed on the confidential computing server device, and the confidential computing environment is built in units of secure virtual machines;
认证证明报告中的机密计算环境的身份信息是否合法,生成机密计算环境的认证结果;The certification proves whether the identity information of the confidential computing environment in the report is legal and generates the certification result of the confidential computing environment;
将认证结果发送给远程证明发起端设备。Send the authentication result to the remote certification initiating device.
第四方面,本申请实施例提供一种机密计算服务端设备,包括:安全处理器、主机系统软件、以及安全虚拟机;In the fourth aspect, embodiments of the present application provide a confidential computing server device, including: a secure processor, host system software, and a secure virtual machine;
所述主机系统软件,用于在安全虚拟机启动时,调用安全处理器创建安全虚拟机;以及,在安全虚拟机完成启动时,调用安全虚拟机的运行指令,以使得安全虚拟机运行;其中,安全处理器通过创建安全虚拟机,以完成安全虚拟机的启动;The host system software is configured to call a security processor to create a secure virtual machine when the security virtual machine is started; and, when the security virtual machine completes starting, call the running instructions of the security virtual machine to cause the security virtual machine to run; wherein , the security processor completes the startup of the security virtual machine by creating a security virtual machine;
所述安全虚拟机,用于在运行过程中,加载用于运行应用程序的程序运行相关信息,并且向安全处理器发送通知命令;The secure virtual machine is configured to load program execution-related information for running the application program during operation, and send a notification command to the security processor;
所述安全处理器,用于在创建安全虚拟机的过程中,受主机系统软件的调用,对安全虚拟机进行度量,确定安全虚拟机启动时的启动度量结果;以及在安全虚拟机的运行过程中,基于安全虚拟机的通知命令,对安全虚拟机用于运行应用程序的程序运行相关信息进行度量,确定安全虚拟机运行时的程序运行度量结果;The security processor is used to measure the security virtual machine when called by the host system software during the creation of the security virtual machine, and determine the startup measurement results when the security virtual machine is started; and during the running process of the security virtual machine , based on the notification command of the secure virtual machine, measure the program running related information used by the secure virtual machine to run the application, and determine the program running measurement results when the secure virtual machine is running;
其中,所述启动度量结果和所述程序运行度量结果用于机密计算环境认证,机密计算环境以安全虚拟机为单位构建。Wherein, the startup measurement results and the program running measurement results are used for confidential computing environment authentication, and the confidential computing environment is built in units of secure virtual machines.
第五方面,本申请实施例提供一种机密计算服务端设备,包括:安全处理器以及安全虚拟机,其中,机密计算环境以安全虚拟机为单位构建;In the fifth aspect, embodiments of the present application provide a confidential computing server device, including: a secure processor and a secure virtual machine, wherein the confidential computing environment is constructed in units of secure virtual machines;
所述安全虚拟机,用于接收远程证明发起端设备发送给机密计算服务端设备的报告请求,将所述报告请求转发给安全处理器;以及,接收安全处理器发送的证明报告,将证明报告发送给远程证明发起端设备,以用于认证机密计算环境的合法性;The security virtual machine is configured to receive a report request sent by the remote certification initiating device to the confidential computing server device, and forward the report request to the security processor; and, receive the certification report sent by the security processor, and send the certification report Sent to the remote certification initiating device to authenticate the legitimacy of the confidential computing environment;
所述安全处理器,用于响应于所述报告请求,生成证明报告,并将安全虚拟机启动时的启动度量结果和安全虚拟机运行时的程序运行度量结果,更新到证明报告所携带的机密计算环境的身份信息中;将所述证明报告发送给所述安全虚拟机。The security processor is configured to generate a certification report in response to the report request, and update the startup measurement results when the security virtual machine starts and the program running measurement results when the security virtual machine is running to the confidentiality carried in the certification report. in the identity information of the computing environment; sending the attestation report to the secure virtual machine.
第六方面,本申请实施例提供一种机密计算系统,包括:远程证明发起端设备、机密计算服务端设备和远程证明服务端设备;In the sixth aspect, embodiments of the present application provide a confidential computing system, including: a remote certification initiating device, a confidential computing server device, and a remote certification server device;
其中,所述远程证明发起端设备为具有机密计算认证需求的参与角色所对应的电子设备;Wherein, the remote certification initiating device is an electronic device corresponding to a participating role with confidential computing authentication requirements;
所述机密计算服务端设备为机密计算服务端所对应的电子设备,机密计算服务端包括机密计算服务提供方和/或机密计算平台提供方;所述机密计算服务端设备被配置为执行如上述第一方面所述的虚拟机度量方法,或者,如上述第二方面所述的机密计算认证方法;The confidential computing server device is an electronic device corresponding to the confidential computing server, and the confidential computing server includes a confidential computing service provider and/or a confidential computing platform provider; the confidential computing server device is configured to perform as described above The virtual machine measurement method described in the first aspect, or the confidential computing authentication method described in the second aspect;
所述远程证明服务端设备为可信实体所对应的电子设备,所述远程证明服务端设备被配置为执行如上述第三方面所述的机密计算认证方法。The remote certification server device is an electronic device corresponding to a trusted entity, and the remote certification server device is configured to execute the confidential computing authentication method described in the third aspect.
第七方面,本申请实施例提供一种存储介质,所述存储介质存储有一条或多条计算机可执行指令,所述一条或多条计算机可执行指令被执行时,实现如上述第一方面所述的虚拟机度量方法,或者,如上述第二方面所述的机密计算认证方法,或者,如上述第三方面所述的机密计算认证方法。In a seventh aspect, embodiments of the present application provide a storage medium that stores one or more computer-executable instructions. When the one or more computer-executable instructions are executed, the above-described first aspect is implemented. The virtual machine measurement method described above, or the confidential computing authentication method described in the above second aspect, or the confidential computing authentication method described in the above third aspect.
本申请实施例提供的虚拟机度量方法可由安全处理器执行,在机密计算环境以安全虚拟机为单位构建的情况下,安全处理器可以通过创建安全虚拟机,以完成安全虚拟机的启动,从而在安全处理器创建安全虚拟机的过程中,安全处理器可以对安全虚拟机进行度量,确定安全虚拟机启动时的启动度量结果;在安全虚拟机启动后,安全虚拟机进入运行阶段,在安全虚拟机的运行过程中,安全虚拟机可以通过加载用于运行应用程序的程序运行相关信息,从而实现应用程序在安全虚拟机的运行;进而,安全处理器可以在安全虚拟机的运行过程中,对安全虚拟机用于运行应用程序的程序运行相关信息进行度量,确定安全虚拟机运行时的程序运行度量结果。The virtual machine measurement method provided by the embodiment of the present application can be executed by the security processor. When the confidential computing environment is built in units of security virtual machines, the security processor can complete the startup of the security virtual machine by creating a security virtual machine, thereby In the process of the security processor creating a security virtual machine, the security processor can measure the security virtual machine and determine the startup measurement results when the security virtual machine is started; after the security virtual machine is started, the security virtual machine enters the running phase. During the operation of the virtual machine, the secure virtual machine can load the program execution-related information used to run the application, thereby enabling the application to run in the secure virtual machine; furthermore, the security processor can, during the operation of the secure virtual machine, Measure program running related information used by the secure virtual machine to run applications, and determine program running measurement results when the secure virtual machine is running.
可见,在本申请实施例中,安全处理器可以在创建安全虚拟机的过程中,确定安全虚拟机启动时的启动度量结果,以及在安全虚拟机的运行过程中,确定安全虚拟机运行时的程序运行度量结果,提升虚拟机度量的结果全面性。安全处理器所确定的启动度量结果和程序运行度量结果可用于机密计算环境认证,为机密计算环境认证能够认证安全虚拟机的合法性、以及安全虚拟机运行的应用程序的合法性提供基础,从而为提升机密计算认证的全面性提供基础。It can be seen that in the embodiment of the present application, the security processor can determine the startup measurement results when the security virtual machine is started during the process of creating the security virtual machine, and determine the startup measurement results when the security virtual machine is running during the running process of the security virtual machine. Program running measurement results improve the comprehensiveness of virtual machine measurement results. The startup metric results and program running metric results determined by the security processor can be used for confidential computing environment certification, providing a basis for confidential computing environment certification to verify the legitimacy of the secure virtual machine and the legitimacy of the applications running on the secure virtual machine, thereby Provide a basis for improving the comprehensiveness of confidential computing certification.
附图说明Description of the drawings
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to explain the embodiments of the present application or the technical solutions in the prior art more clearly, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings in the following description are only This is an embodiment of the present application. For those of ordinary skill in the art, other drawings can be obtained based on the provided drawings without exerting creative efforts.
图1为机密计算的参与角色的示例图。Figure 1 is an example diagram of participating roles in confidential computing.
图2为机密计算系统的示例图。Figure 2 is an example diagram of a confidential computing system.
图3为机密计算服务端设备的架构示例图。Figure 3 is an example diagram of the architecture of a confidential computing server device.
图4为本申请实施例提供的虚拟机度量方法的流程图。Figure 4 is a flow chart of a virtual machine measurement method provided by an embodiment of the present application.
图5为本申请实施例提供的虚拟机度量方法的另一流程图。Figure 5 is another flowchart of a virtual machine measurement method provided by an embodiment of the present application.
图6为本申请实施例提供的机密计算认证方法的流程图。Figure 6 is a flow chart of a confidential computing authentication method provided by an embodiment of the present application.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only some of the embodiments of the present application, rather than all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of this application.
为便于理解机密计算,图1示例性的示出了机密计算的参与角色的示例图,如图1所示,机密计算的参与角色主要分为机密计算服务提供方、机密计算平台提供方、算法提供方、数据提供方和计算结果需求方。In order to facilitate understanding of confidential computing, Figure 1 illustrates an example diagram of the participating roles in confidential computing. As shown in Figure 1, the participating roles in confidential computing are mainly divided into confidential computing service providers, confidential computing platform providers, and algorithms. Provider, data provider and calculation result demander.
其中,机密计算服务提供方主要负责提供机密计算服务,机密计算服务提供方也提供机密计算服务的管理功能,例如支持算法程序的录入与发布。Among them, the confidential computing service provider is mainly responsible for providing confidential computing services. The confidential computing service provider also provides management functions for confidential computing services, such as supporting the entry and release of algorithm programs.
机密计算平台提供方主要负责提供机密计算环境所依赖的可信软硬件、以及机密计算服务提供方所使用的接口(比如集成在机密计算平台内部的信任根、可信执行环境等),并建立实现完整的度量存储报告机制。The confidential computing platform provider is mainly responsible for providing the trusted software and hardware that the confidential computing environment relies on, as well as the interfaces used by the confidential computing service provider (such as the root of trust, trusted execution environment, etc. integrated within the confidential computing platform), and establishing Implement a complete metric storage reporting mechanism.
算法提供方主要负责提供需要在机密计算环境中运行的算法程序,算法程序与计算结果需求方的需求描述相符。The algorithm provider is mainly responsible for providing algorithm programs that need to be run in a confidential computing environment. The algorithm programs are consistent with the demand description of the requester of the calculation results.
数据提供方主要负责提供机密计算的计算数据。Data providers are primarily responsible for providing computational data for confidential calculations.
计算结果需求方主要负责提供计算需求给机密计算服务提供方或者直接使用机密计算平台执行机密计算,以获得相应的计算结果;计算结果需求方提供的计算需求例如需要运行的算法程序、算法程序运行时需要计算的计算数据等。The demander of calculation results is mainly responsible for providing computing requirements to the confidential computing service provider or directly using the confidential computing platform to perform confidential calculations to obtain the corresponding calculation results; the computing requirements provided by the demander of calculation results include algorithm programs that need to be run and algorithm program execution. Calculation data that need to be calculated, etc.
机密计算的每个参与角色可以由一个或多个实体(实体例如个人或机构)担任,针对不同的机密计算服务和部署模式,上述多个参与角色中的部分参与角色也可以由同一实体担任。Each participating role in confidential computing can be played by one or more entities (entities such as individuals or institutions). For different confidential computing services and deployment models, some of the above multiple participating roles can also be played by the same entity.
机密计算需要建立参与角色之间的相互信任,如果参与角色之间不能建立所需的信任关系,则存在计算结果不可信、算力被错误使用、数据权益被侵害等风险。基于此,机密计算服务提供方和/或机密计算平台提供方,需要向其他参与角色证明机密计算环境的合法性,即进行机密计算认证,以证明机密计算环境可被信任。Confidential computing requires the establishment of mutual trust between participating roles. If the required trust relationship cannot be established between participating roles, there will be risks such as untrustworthy calculation results, incorrect use of computing power, and infringement of data rights. Based on this, the confidential computing service provider and/or the confidential computing platform provider needs to prove the legitimacy of the confidential computing environment to other participating roles, that is, conduct confidential computing certification to prove that the confidential computing environment can be trusted.
为便于理解,图2示例性的示出了机密计算系统的示例图,如图2所示,机密计算系统可以包括:机密计算服务端设备210、远程证明发起端设备220、以及远程证明服务端设备230。For ease of understanding, Figure 2 illustrates an example diagram of a confidential computing system. As shown in Figure 2, the confidential computing system may include: a confidential computing server device 210, a remote certification initiating device 220, and a remote certification server. Equipment 230.
机密计算服务端设备210可以是机密计算服务端所对应的电子设备,机密计算服务端可以包括机密计算服务提供方和/或机密计算平台提供方。电子设备的形式例如服务器设备等。The confidential computing server device 210 may be an electronic device corresponding to the confidential computing server, and the confidential computing server may include a confidential computing service provider and/or a confidential computing platform provider. Electronic equipment in the form of server equipment, etc.
远程证明发起端设备220可以是具有机密计算认证需求的参与角色所对应的电子设备。例如,算法提供方、数据提供方、计算结果需求方所对应的电子设备。The remote certification initiating device 220 may be an electronic device corresponding to a participating role that has confidential computing certification requirements. For example, the electronic equipment corresponding to the algorithm provider, data provider, and calculation result demander.
远程证明发起端设备220在具有机密计算认证需求时,可以向机密计算服务端设备210发起要求证明报告的报告请求。例如,算法提供方在提供算法程序之前,需要认证机密计算环境的合法性,此时,算法提供方可以通过远程证明发起端设备,向机密计算服务端设备发起报告请求。又例如,数据提供方在提供计算数据之前,需要认证机密计算环境的合法性,此时,数据提供方可以通过远程证明发起端设备,向机密计算服务端设备发起报告请求。再例如,计算结果需求方在提供计算需求之前,需要认证机密计算环境的合法性,此时,计算结果需求方可以通过远程证明发起端设备,向机密计算服务端设备发起报告请求。When the remote certification initiating device 220 has a requirement for confidential computing authentication, the remote certification initiating device 220 may initiate a report request for a certification report to the confidential computing server device 210 . For example, the algorithm provider needs to verify the legitimacy of the confidential computing environment before providing the algorithm program. At this time, the algorithm provider can initiate a report request to the confidential computing server device through the remote certification initiating device. For another example, the data provider needs to verify the legitimacy of the confidential computing environment before providing computing data. At this time, the data provider can initiate a report request to the confidential computing server device through the remote certification initiating device. For another example, the calculation result demander needs to verify the legitimacy of the confidential computing environment before providing computing requirements. At this time, the calculation result demander can initiate a report request to the confidential computing server device through the remote certification initiator device.
机密计算服务端设备210在获得远程证明发起端设备220发起的报告请求后,可以将携带机密计算环境的身份信息的证明报告,反馈给远程证明发起端设备220;进而,远程证明发起端设备220可以将携带证明报告的认证请求,传递给远程证明服务端设备230。After obtaining the report request initiated by the remote certification initiating device 220, the confidential computing server device 210 can feed back the certification report carrying the identity information of the confidential computing environment to the remote certification initiating device 220; furthermore, the remote certification initiating device 220 The authentication request carrying the authentication report may be passed to the remote authentication server device 230 .
远程证明服务端设备230可以是认证机密计算环境的身份信息是否合法的电子设备。例如,远程证明服务端设备230可以对证明报告进行认证(比如认证证明报告携带的机密计算环境的身份信息是否合法),以得出机密计算认证的认证结果,并将认证结果反馈回远程证明发起端设备220。The remote certification server device 230 may be an electronic device that authenticates whether the identity information of the confidential computing environment is legal. For example, the remote attestation server device 230 can authenticate the attestation report (for example, authenticate whether the identity information of the confidential computing environment carried in the attestation report is legal) to obtain the authentication result of the confidential computing authentication, and feed the authentication result back to the remote attestation initiator. Terminal device 220.
远程证明服务端设备230可以是可选的可信实体(例如第三方可信实体)所对应的电子设备。在一些实现中,远程证明发起端设备220和远程证明服务端设备230也可以相集成,例如集成为远端设备。The remote certification server device 230 may be an electronic device corresponding to an optional trusted entity (such as a third-party trusted entity). In some implementations, the remote certification initiating device 220 and the remote certification server device 230 may also be integrated, for example, integrated into a remote device.
通过上文介绍可以看出,机密计算认证用于认证机密计算环境的合法性,是机密计算必备的功能之一。并且机密计算认证通过认证证明报告的方式实现,例如,通过认证证明报告携带的机密计算环境的身份信息是否合法,以得出机密计算认证的认证结果。As can be seen from the above introduction, confidential computing authentication is used to verify the legitimacy of the confidential computing environment and is one of the necessary functions for confidential computing. And the confidential computing certification is implemented through the certification certification report. For example, whether the identity information of the confidential computing environment carried in the certification certification report is legal is used to obtain the certification result of the confidential computing certification.
随着虚拟化技术的发展,机密计算服务端设备可以利用虚拟化技术虚拟化出多台虚拟机,以高效利用机密计算服务端设备的硬件资源。虚拟化出的虚拟机可在机密计算服务端设备的内存中分配虚拟机内存,每台虚拟机的虚拟机内存主要用于任务消耗及支持虚拟化。出于对虚拟机内存的安全保护,安全虚拟化技术应运而生;通过安全虚拟化技术可对部分或所有虚拟机的虚拟机内存进行加密,而且不同虚拟机的虚拟机内存通过不同的虚拟机密钥进行加密,即使主机系统软件也无法访问虚拟机密钥,从而防止虚拟机的虚拟机内存中的数据被非法访问和篡改,提升虚拟机数据的安全性。With the development of virtualization technology, confidential computing server equipment can use virtualization technology to virtualize multiple virtual machines to efficiently utilize the hardware resources of the confidential computing server equipment. The virtualized virtual machine can allocate virtual machine memory in the memory of the confidential computing server device. The virtual machine memory of each virtual machine is mainly used for task consumption and support for virtualization. For the security protection of virtual machine memory, secure virtualization technology came into being; through secure virtualization technology, the virtual machine memory of some or all virtual machines can be encrypted, and the virtual machine memory of different virtual machines passes through different virtual machines. The key is encrypted so that even the host system software cannot access the virtual machine key, thereby preventing the data in the virtual machine's virtual machine memory from being illegally accessed and tampered with, and improving the security of the virtual machine data.
为便于理解,基于安全虚拟化技术,图3示例性的示出了机密计算服务端设备的架构示例图,如图3所示,机密计算服务端设备可以包括:处理器310,内存控制器320,内存330和安全处理器340。For ease of understanding, based on secure virtualization technology, Figure 3 illustrates an example architecture diagram of a confidential computing server device. As shown in Figure 3, the confidential computing server device may include: a processor 310 and a memory controller 320 , memory 330 and security processor 340.
处理器310例如CPU(Central Processing Unit,中央处理器),处理器310可通过软件形式配置主机系统软件311,主机系统软件例如VMM(Virtual Machine Monitor,虚拟机监视器);并且处理器310可以通过虚拟化技术虚拟化出多台虚拟机312,该多台虚拟机可由主机系统软件(例如VMM)进行内存管理,比如由VMM管理虚拟机在内存330中分配的虚拟机内存。The processor 310 is, for example, a CPU (Central Processing Unit, central processing unit). The processor 310 can configure the host system software 311 through software, and the host system software can be, for example, a VMM (Virtual Machine Monitor, a virtual machine monitor); and the processor 310 can configure the host system software 311 through software. The virtualization technology virtualizes multiple virtual machines 312, and the multiple virtual machines can be memory managed by the host system software (such as VMM). For example, the VMM manages the virtual machine memory allocated by the virtual machine in the memory 330.
内存控制器320是控制内存330,并且使内存330与处理器310之间交换数据的硬件。内存330的部分或全部空间可作为为虚拟机分配的虚拟机内存。The memory controller 320 is hardware that controls the memory 330 and enables data exchange between the memory 330 and the processor 310 . Some or all of memory 330 may be used as virtual machine memory allocated for the virtual machine.
安全处理器340是安全虚拟化技术设置的负责数据安全的处理器;主机系统软件(例如VMM)可配置与安全处理器相通信的API(Application Programming Interface,应用程序编程接口),实现主机系统软件与安全处理器间的数据交互。同时,内存控制器320可配置加解密引擎321,加解密引擎321可存储对虚拟机内存进行加解密的虚拟机密钥,并且不同虚拟机的虚拟机内存使用不同的虚拟机密钥进行加解密。The security processor 340 is a processor responsible for data security set up by security virtualization technology; the host system software (such as VMM) can configure an API (Application Programming Interface, application programming interface) that communicates with the security processor to implement the host system software Data interaction with security processors. At the same time, the memory controller 320 can be configured with an encryption and decryption engine 321. The encryption and decryption engine 321 can store the virtual machine key for encrypting and decrypting the virtual machine memory, and the virtual machine memory of different virtual machines uses different virtual machine keys for encryption and decryption. .
在安全虚拟化技术中,安全处理器340可以为虚拟机分配和管理虚拟机密钥,从而安全处理器340可通过加解密引擎321使用虚拟机的虚拟机密钥,对在虚拟机的虚拟机内存中读、写的数据进行加解密,以实现虚拟机的数据安全隔离。In the secure virtualization technology, the security processor 340 can allocate and manage virtual machine keys for virtual machines, so that the security processor 340 can use the virtual machine keys of the virtual machines through the encryption and decryption engine 321 to perform encryption on the virtual machines. The data read and written in the memory is encrypted and decrypted to achieve data security isolation of the virtual machine.
需要说明的是,安全虚拟化技术可以为虚拟化的所有虚拟机均配置虚拟机密钥,也可以为虚拟化的部分虚拟机配置虚拟机密钥。其中,配置虚拟机密钥,并且虚拟机内存被加密保护的虚拟机可称为安全虚拟机,即具有虚拟机密钥进行数据加密保护的虚拟机可称为安全虚拟机,而未配置虚拟机密钥的虚拟机可称为普通虚拟机。It should be noted that the secure virtualization technology can configure virtual machine keys for all virtualized virtual machines, or can also configure virtual machine keys for some virtualized virtual machines. Among them, a virtual machine that is configured with a virtual machine key and whose virtual machine memory is encrypted and protected can be called a secure virtual machine. That is, a virtual machine that has a virtual machine key for data encryption protection can be called a secure virtual machine, while a virtual machine that is not configured with a virtual machine key can be called a secure virtual machine. A keyed virtual machine can be called a normal virtual machine.
基于安全虚拟化技术和机密计算技术,机密计算服务端设备可以以安全虚拟机为单位构建机密计算环境,例如,以安全虚拟机为单位构建TEE(Trusted ExecutionEnvironment,可信执行环境),TEE可以视为是机密计算环境的一种示例。在此情况下,可以通过度量安全虚拟机,来得到安全虚拟机的度量结果,从而将安全虚拟机的度量结果携带在机密计算环境的身份信息中,进而机密计算认证可以通过认证安全虚拟机的度量结果是否合法,以实现认证机密计算环境的身份信息是否合法,从而得出机密计算认证的认证结果。Based on secure virtualization technology and confidential computing technology, confidential computing server equipment can build a confidential computing environment in units of secure virtual machines. For example, TEE (Trusted Execution Environment, Trusted Execution Environment) can be built in units of secure virtual machines. TEE can be viewed as is an example of a confidential computing environment. In this case, the measurement result of the secure virtual machine can be obtained by measuring the secure virtual machine, so that the measurement result of the secure virtual machine can be carried in the identity information of the confidential computing environment, and the confidential computing authentication can pass the authentication of the secure virtual machine. Whether the measurement result is legal or not is used to certify whether the identity information of the confidential computing environment is legal, thereby obtaining the authentication result of the confidential computing certification.
在以安全虚拟机为单位构建机密计算环境的情况下,虽然可以通过认证安全虚拟机的度量结果是否合法来实现机密计算认证,但是安全虚拟机的度量结果的合法性表示的是安全虚拟机的身份合法性,并不能够表示安全虚拟机运行的应用程序的合法性(安全虚拟机运行的应用程序可以实现算法提供方等参与角色提供的算法程序),这导致机密计算认证的全面性较低,不能满足数据提供方等参与角色对于计算数据的隐私计算等场景的安全性要求。在计算数据的隐私计算场景下,计算数据例如数据提供方提供的隐私数据等。When building a confidential computing environment with a secure virtual machine as a unit, although confidential computing authentication can be achieved by verifying whether the measurement results of the secure virtual machine are legal, the validity of the measurement results of the secure virtual machine represents the validity of the secure virtual machine. Identity legitimacy does not represent the legitimacy of applications running on secure virtual machines (applications running on secure virtual machines can implement algorithm programs provided by participating roles such as algorithm providers), which results in a lower comprehensiveness of confidential computing authentication. , cannot meet the security requirements of participating roles such as data providers for scenarios such as privacy computing of computing data. In the privacy computing scenario of computing data, the computing data is such as private data provided by the data provider.
在一个示例中,机密计算环境可以通过运行应用程序(运行在机密计算环境中的应用程序可以称为机密计算程序),以实现算法提供方提供的算法程序;从而,在以安全虚拟机为单位构建机密计算环境的情况下,安全虚拟机可以运行应用程序,以实现算法提供方提供的算法程序。然而,数据提供方和算法提供方可能是不同的实体,数据提供方需要在认证算法程序是合法的情况下,才会提供计算数据;也就是说,在证明安全虚拟机运行的应用程序是合法,不会泄露数据的情况下,数据提供方才会提供计算数据。此时,如果单纯以安全虚拟机的度量结果进行机密计算认证,则不能够证明安全虚拟机运行的应用程序的合法性,从而难以获得数据提供方的信任,导致难以满足数据提供方等参与角色对于计算数据的隐私计算等场景的安全性要求。In one example, the confidential computing environment can implement the algorithm program provided by the algorithm provider by running applications (applications running in the confidential computing environment can be called confidential computing programs); thus, in units of secure virtual machines When building a confidential computing environment, secure virtual machines can run applications to implement algorithm programs provided by the algorithm provider. However, the data provider and the algorithm provider may be different entities. The data provider will only provide calculation data after verifying that the algorithm program is legal; that is, after proving that the application running on the secure virtual machine is legal. , the data provider will provide calculation data only if the data will not be leaked. At this time, if you only use the measurement results of the secure virtual machine for confidential computing authentication, it will not be able to prove the legitimacy of the application running on the secure virtual machine, making it difficult to gain the trust of the data provider, making it difficult to satisfy participating roles such as data providers. Security requirements for scenarios such as privacy computing of computing data.
基于机密计算服务端设备以安全虚拟机为单位构建机密计算环境,本申请实施例可以通过认证安全虚拟机以及安全虚拟机运行的应用程序的合法性,实现机密计算认证,从而提升机密计算认证的全面性,进而为提升机密计算的安全性提供基础。Based on the confidential computing server device, a confidential computing environment is constructed in units of secure virtual machines. The embodiments of this application can realize confidential computing authentication by authenticating the legality of the secure virtual machine and the applications running on the secure virtual machine, thereby improving the efficiency of confidential computing authentication. Comprehensiveness, thereby providing a basis for improving the security of confidential computing.
基于上述思路,本申请的发明人考虑在机密计算服务端设备提供的证明报告中携带机密计算环境的身份信息,并且机密计算环境的身份信息携带安全虚拟机启动时的启动度量结果、以及安全虚拟机运行时的程序运行度量结果,从而通过安全虚拟机启动时的启动度量结果、以及安全虚拟机运行时的程序运行度量结果,实现认证安全虚拟机以及安全虚拟机运行的应用程序的合法性,提升机密计算认证的全面性。Based on the above ideas, the inventor of this application considers carrying the identity information of the confidential computing environment in the certification report provided by the confidential computing server device, and the identity information of the confidential computing environment carries the startup measurement results when the secure virtual machine is started, and the secure virtual machine. The program running measurement results when the machine is running are used to authenticate the legality of the secure virtual machine and the applications running on the secure virtual machine through the startup measurement results when the secure virtual machine is started and the program running measurement results when the secure virtual machine is running. Improving the comprehensiveness of confidential computing certifications.
需要说明的是,安全虚拟机运行的应用程序并无法在安全虚拟机启动时确定,这是因为机密计算服务端设备的硬盘中可能同时存在多个操作系统和多个应用程序,只有在安全虚拟机运行并加载操作系统后,才能确定安全虚拟机从硬盘动态加载并运行的应用程序(也就是说,安全虚拟机对于应用程序的加载是动态的)。基于此,本申请实施例提供新型的虚拟机度量方案,在安全虚拟机启动时,确定安全虚拟机启动时的启动度量结果,在安全虚拟机运行时,确定安全虚拟机运行时的程序运行度量结果,以提升虚拟机度量的结果全面性。进而,在进行机密计算认证时,本申请实施例可以将安全虚拟机启动时的启动度量结果、以及安全虚拟机运行时的程序运行度量结果携带在机密计算环境的身份信息中,并且机密计算环境的身份信息携带在证明报告中,以实现较为全面的进行机密计算认证。It should be noted that the application running on the secure virtual machine cannot be determined when the secure virtual machine is started. This is because multiple operating systems and multiple applications may exist on the hard disk of the confidential computing server device at the same time. Only after the machine is running and the operating system is loaded can the application programs that the secure virtual machine dynamically loads and run from the hard disk be determined (that is, the secure virtual machine loads applications dynamically). Based on this, embodiments of the present application provide a new virtual machine measurement solution. When the secure virtual machine is started, the startup measurement results when the secure virtual machine is started are determined. When the secure virtual machine is running, the program running metrics when the secure virtual machine is running are determined. The result is to improve the comprehensiveness of virtual machine metrics. Furthermore, when performing confidential computing authentication, embodiments of the present application can carry the startup measurement results when the secure virtual machine is started and the program running measurement results when the secure virtual machine is running in the identity information of the confidential computing environment, and the confidential computing environment The identity information is carried in the certification report to achieve more comprehensive confidential computing authentication.
作为可选实现,本申请实施例可以通过机密计算服务端设备中的安全虚拟机、安全处理器、主机系统软件之间的交互,实现在安全虚拟机启动的阶段,确定安全虚拟机的启动度量结果,以及在安全虚拟机运行的阶段,确定安全虚拟机运行时的程序运行度量结果,从而提升虚拟机度量的结果全面性。As an optional implementation, the embodiments of this application can determine the startup metrics of the secure virtual machine during the startup phase of the secure virtual machine through the interaction between the secure virtual machine, the secure processor, and the host system software in the confidential computing server device. As a result, and during the running stage of the safe virtual machine, the program running measurement results when the safe virtual machine is running are determined, thereby improving the comprehensiveness of the virtual machine measurement results.
作为可选实现,图4示例性的示出了本申请实施例提供的虚拟机度量方法的可选流程图,参照图4,该方法流程可以包括如下步骤。As an optional implementation, FIG. 4 exemplarily shows an optional flow chart of the virtual machine measurement method provided by the embodiment of the present application. Referring to FIG. 4 , the method flow may include the following steps.
在步骤S410中,在安全虚拟机启动时,主机系统软件调用安全处理器创建安全虚拟机。In step S410, when the secure virtual machine is started, the host system software calls the security processor to create the secure virtual machine.
安全虚拟机是配置有虚拟机密钥,且虚拟机内存被加密保护的虚拟机,基于安全虚拟机的虚拟机密钥由安全处理器进行分配和管理,在安全虚拟机启动时,安全处理器可以通过对安全虚拟机的固件信息进行加密,并且加密后的固件信息加载到安全虚拟机的虚拟机内存中,以实现创建安全虚拟机。也就是说,安全处理器可以通过创建安全虚拟机,来完成安全虚拟机的启动。例如,在安全虚拟机启动时,安全处理器可以利用加解密引擎,以安全虚拟机对应的虚拟机密钥,对安全虚拟机的固件信息进行加密,并且加密后的固件信息加载到安全虚拟机的虚拟机内存中,从而通过创建安全虚拟机,完成安全虚拟机的启动。A secure virtual machine is a virtual machine configured with a virtual machine key and the virtual machine memory is encrypted and protected. The virtual machine key based on the secure virtual machine is allocated and managed by the security processor. When the secure virtual machine starts, the security processor A secure virtual machine can be created by encrypting the firmware information of the secure virtual machine and loading the encrypted firmware information into the virtual machine memory of the secure virtual machine. In other words, the security processor can complete the startup of the security virtual machine by creating a security virtual machine. For example, when the secure virtual machine is started, the security processor can use the encryption and decryption engine to encrypt the firmware information of the secure virtual machine with the virtual machine key corresponding to the secure virtual machine, and the encrypted firmware information is loaded into the secure virtual machine. in the memory of the virtual machine, thereby completing the startup of the secure virtual machine by creating a secure virtual machine.
作为可选实现,在安全虚拟机启动时,主机系统软件(例如VMM)可以通过调用安全处理器的发起创建安全虚拟机的相关命令,从而调用安全处理器启动安全虚拟机、调用安全处理器对安全虚拟机的固件信息进行加密,并且加密后的固件信息加载到安全虚拟机的虚拟机内存中,以通过创建安全虚拟机,完成安全虚拟机的启动。As an optional implementation, when the secure virtual machine is started, the host system software (such as VMM) can initiate relevant commands to create the secure virtual machine by calling the security processor, thereby calling the security processor to start the secure virtual machine and calling the security processor to The firmware information of the secure virtual machine is encrypted, and the encrypted firmware information is loaded into the virtual machine memory of the secure virtual machine to complete the startup of the secure virtual machine by creating the secure virtual machine.
在进一步的可选实现中,安全处理器的发起创建安全虚拟机的相关命令可以包括:发起启动安全虚拟机的命令(LAUNCH START命令)、发起更新安全虚拟机数据的命令(LAUNCH UPDATE DATA命令)、和发起完成安全虚拟机创建的命令(LAUNCH FINISH命令)。在安全虚拟机启动时,主机系统软件(例如VMM)可以依次调用安全处理器的LAUNCH START命令、LAUNCH UPDATE DATA命令和LAUNCH FINISH命令,以实现调用安全处理器创建安全虚拟机,完成安全虚拟机的启动。In a further optional implementation, the relevant commands of the security processor to initiate the creation of the secure virtual machine may include: initiating a command to start the secure virtual machine (LAUNCH START command), initiating a command to update the data of the secure virtual machine (LAUNCH UPDATE DATA command) , and initiate the command to complete the creation of the secure virtual machine (LAUNCH FINISH command). When the secure virtual machine starts, the host system software (such as VMM) can sequentially call the LAUNCH START command, LAUNCH UPDATE DATA command and LAUNCH FINISH command of the security processor to create a secure virtual machine by calling the security processor and complete the security virtual machine. start up.
在一个示例中,主机系统软件可以通过调用安全处理器的LAUNCH START命令,以向安全处理器通知安全虚拟机开始启动。主机系统软件可以通过调用安全处理器的LAUNCHUPDATE DATA命令,以通知安全处理器对安全虚拟机的固件信息进行加密,并且加密后的固件信息加载到安全虚拟机的虚拟机内存中。主机系统软件可以通过调用安全处理器的LAUNCH FINISH命令,以使得安全处理器完成启动安全虚拟机。In one example, the host system software may notify the security processor to start starting the security virtual machine by calling a LAUNCH START command of the security processor. The host system software can notify the security processor to encrypt the firmware information of the secure virtual machine by calling the LAUNCHUPDATE DATA command of the security processor, and load the encrypted firmware information into the virtual machine memory of the security virtual machine. The host system software can call the LAUNCH FINISH command of the security processor so that the security processor completes starting the security virtual machine.
在步骤S411中,安全处理器在创建安全虚拟机的过程中,对安全虚拟机进行度量,确定安全虚拟机启动时的启动度量结果。In step S411, during the process of creating the security virtual machine, the security processor measures the security virtual machine and determines the startup measurement result when the security virtual machine is started.
安全处理器通过创建安全虚拟机可以完成安全虚拟机的启动,从而安全处理器可以在创建安全虚拟机的过程中,度量安全虚拟机,实现确定安全虚拟机启动时所度量的结果,得到启动度量结果。The security processor can complete the startup of the secure virtual machine by creating a secure virtual machine, so that the security processor can measure the secure virtual machine during the process of creating the secure virtual machine, determine the results measured when the secure virtual machine is started, and obtain the startup metrics. result.
作为可选实现,安全处理器在创建安全虚拟机的过程中,可以调取安全虚拟机的固件信息并进行加密,从而在安全处理器调取安全虚拟机的固件信息时,安全处理器可以对安全虚拟机的固件信息进行度量,得到安全虚拟机的固件信息的度量值,作为启动度量结果。例如,安全处理器的LAUNCH UPDATE DATA命令可以用于通知安全处理器对安全虚拟机的固件信息进行加密,并且加密后的固件信息加载到安全虚拟机的虚拟机内存中;从而,安全处理器在检测到主机系统软件调用LAUNCH UPDATE DATA命令时,可以响应于LAUNCHUPDATE DATA命令,调取安全虚拟机的固件信息,并对安全虚拟机的固件信息进行加密;从而,在安全处理器调取安全虚拟机的固件信息时,安全处理器可以对安全虚拟机的固件信息进行度量,得到安全虚拟机的固件信息的度量值,作为启动度量结果。As an optional implementation, during the process of creating a secure virtual machine, the security processor can retrieve the firmware information of the secure virtual machine and encrypt it, so that when the security processor retrieves the firmware information of the secure virtual machine, the security processor can The firmware information of the secure virtual machine is measured, and the measurement value of the firmware information of the secure virtual machine is obtained as the startup measurement result. For example, the LAUNCH UPDATE DATA command of the security processor can be used to notify the security processor to encrypt the firmware information of the security virtual machine, and load the encrypted firmware information into the virtual machine memory of the security virtual machine; thus, the security processor When it is detected that the host system software calls the LAUNCH UPDATE DATA command, it can respond to the LAUNCHUPDATE DATA command, retrieve the firmware information of the secure virtual machine, and encrypt the firmware information of the secure virtual machine; thus, the security processor retrieves the secure virtual machine When obtaining the firmware information of the secure virtual machine, the security processor can measure the firmware information of the secure virtual machine and obtain the measurement value of the firmware information of the secure virtual machine as the startup measurement result.
作为可选实现,在本申请实施例中,对信息进行度量可以视为是使用度量算法对信息进行度量值计算,度量值可以视为是度量结果的一种表达。可选的,度量算法可以通过摘要算法实现,相应的,信息的度量值可以是信息的摘要值;例如,使用摘要算法对信息进行摘要计算,所得到的摘要值可以作为度量值使用。进一步的,在可选实现中,摘要算法可以通过哈希算法实现,相应的,信息的摘要值可以是信息的哈希值;例如,使用哈希算法对信息进行哈希计算,所得到的哈希值可以作为摘要值使用,从而得到信息的度量值。As an optional implementation, in the embodiment of the present application, measuring information can be regarded as using a measurement algorithm to calculate the measurement value of the information, and the measurement value can be regarded as an expression of the measurement result. Optionally, the measurement algorithm can be implemented through a summary algorithm. Correspondingly, the measurement value of the information can be the summary value of the information; for example, a summary algorithm is used to perform summary calculation on the information, and the resulting summary value can be used as a measurement value. Further, in an optional implementation, the digest algorithm can be implemented by a hash algorithm. Correspondingly, the digest value of the information can be the hash value of the information; for example, the hash algorithm is used to perform hash calculation on the information, and the resulting hash value is Hash values can be used as summary values to obtain metric values of information.
在一个实现示例中,SM3算法作为一种密码杂凑算法,可用于数字签名和验证;本申请实施例可以将SM3算法作为哈希算法的一种示例,从而安全处理器可以使用SM3算法对信息进行度量,得到信息的度量值。In an implementation example, the SM3 algorithm, as a cryptographic hash algorithm, can be used for digital signatures and verifications; embodiments of the present application can use the SM3 algorithm as an example of a hash algorithm, so that the security processor can use the SM3 algorithm to process information. Measure, get the measurement value of information.
基于上述对于度量的解释,作为可选实现,安全处理器可以在创建安全虚拟机的过程中,使用度量算法对安全虚拟机的固件信息进行度量,得到安全虚拟机的固件信息的度量值,作为安全虚拟机启动时的启动度量结果。例如,安全处理器可以使用SM3算法对安全虚拟机的固件信息进行度量,得到安全虚拟机的固件信息的度量值。当然,本申请实施例也可支持其他形式的度量算法,并不限于SM3算法。在可选实现中,安全虚拟机的固件信息可以例如安全虚拟机的固件文件。Based on the above explanation of measurement, as an optional implementation, the security processor can use a measurement algorithm to measure the firmware information of the security virtual machine during the process of creating a security virtual machine, and obtain the measurement value of the firmware information of the security virtual machine, as Boot metrics results when a secure virtual machine starts. For example, the security processor can use the SM3 algorithm to measure the firmware information of the secure virtual machine to obtain the measurement value of the firmware information of the secure virtual machine. Of course, the embodiments of the present application can also support other forms of measurement algorithms and are not limited to the SM3 algorithm. In an optional implementation, the firmware information of the secure virtual machine may be, for example, a firmware file of the secure virtual machine.
在步骤S412中,在安全虚拟机启动完成后,主机系统软件调用安全虚拟机的运行指令。In step S412, after the secure virtual machine is started, the host system software calls the running instruction of the secure virtual machine.
在安全虚拟机完成启动后,主机系统软件(例如VMM)可以调用安全虚拟机的运行指令,从而使得安全虚拟机运行。可选的,安全虚拟机的运行指令例如安全虚拟机的虚拟机运行指令(VM RUN指令)。在一个示例中,主机系统软件可以调用安全虚拟机的虚拟机运行指令(VM RUN指令),以使得安全虚拟机运行固件代码,从而实现安全虚拟机的运行。After the secure virtual machine completes starting, the host system software (such as VMM) can call the running instructions of the secure virtual machine, thereby causing the secure virtual machine to run. Optionally, the safe virtual machine running instruction is, for example, the virtual machine running instruction (VM RUN instruction) of the safe virtual machine. In one example, the host system software can call a virtual machine run instruction (VM RUN instruction) of the secure virtual machine, so that the secure virtual machine runs firmware code, thereby realizing the operation of the secure virtual machine.
在步骤S413中,在安全虚拟机的运行过程中,安全虚拟机在加载用于运行应用程序的程序运行相关信息时,通知安全处理器更新程序运行相关信息。In step S413, during the operation of the security virtual machine, when the security virtual machine loads the program execution-related information for running the application program, it notifies the security processor to update the program execution-related information.
基于主机系统软件调用的安全虚拟机的运行指令(例如VM RUN指令),安全虚拟机可以进入运行阶段,例如安全虚拟机可以运行固件代码。作为可选实现,在安全虚拟机运行的过程中,安全虚拟机可以加载用于运行应用程序的程序运行相关信息,当安全虚拟机加载用于运行应用程序的程序运行相关信息时,为使得安全处理器能够对程序运行相关信息进行度量,安全虚拟机可以通知安全处理器更新程序运行相关信息,从而使得安全处理器可以对安全虚拟机用于运行应用程序的程序运行相关信息进行度量。例如,在安全虚拟机加载程序运行相关信息时,安全虚拟机可以向安全处理器发送通知命令,通知命令用于通知安全处理器更新安全虚拟机加载的程序运行相关信息,以便安全处理器度量安全虚拟机加载的程序运行相关信息。Based on the running instructions of the secure virtual machine (such as the VM RUN command) called by the host system software, the secure virtual machine can enter the running phase, for example, the secure virtual machine can run firmware code. As an optional implementation, during the running process of the secure virtual machine, the secure virtual machine can load the program execution-related information used to run the application. When the secure virtual machine loads the program execution-related information used to run the application, in order to make the security The processor can measure information related to program operation, and the security virtual machine can notify the security processor to update information related to program operation, so that the security processor can measure information related to program operation used by the security virtual machine to run the application. For example, when the security virtual machine loads information related to the running of the program, the security virtual machine can send a notification command to the security processor. The notification command is used to notify the security processor to update the information related to the running of the program loaded by the security virtual machine so that the security processor can measure security. Information related to the execution of programs loaded by the virtual machine.
作为可选实现,本申请实施例可以为安全虚拟机的固件增加固件接口,以便安全虚拟机加载用于运行应用程序的程序运行相关信息时,安全虚拟机可以通过固件接口,调用安全处理器的通知命令,以实现向安全处理器发送通知命令,从而通知安全处理器更新程序运行相关信息,使得安全处理器可以对程序运行相关信息进行度量。例如,安全虚拟机可以通过固件接口,调用安全处理器的启动加载数据命令(LAUNCH LOAD DATA命令),以通知安全处理器更新程序运行相关信息。也就是说,启动加载数据命令可以视为是通知命令的一种形式,例如,通知命令为安全虚拟机通过安全虚拟机的固件接口所调用的安全处理器的启动加载数据命令。As an optional implementation, embodiments of the present application can add a firmware interface to the firmware of the secure virtual machine, so that when the secure virtual machine loads program execution-related information for running an application, the secure virtual machine can call the security processor through the firmware interface. Notification command is used to send a notification command to the security processor, thereby notifying the security processor to update program running-related information, so that the security processor can measure program running-related information. For example, the security virtual machine can call the security processor's boot load data command (LAUNCH LOAD DATA command) through the firmware interface to notify the security processor to update program operation-related information. That is to say, the startup loading data command can be regarded as a form of a notification command. For example, the notification command is a startup loading data command of the security processor called by the security virtual machine through the firmware interface of the security virtual machine.
用于运行应用程序的程序运行相关信息可以是与应用程序运行相关的信息,例如,应用程序运行所依赖的信息(例如应用程序运行所依赖的系统信息)、以及应用程序的信息。作为可选实现,在安全虚拟机的运行过程中,安全虚拟机用于运行应用程序的程序运行相关信息可以包括:安全虚拟机依次加载的程序运行相关信息,其中,下一次加载的程序运行相关信息,依赖于上一次加载的程序运行相关信息进行加载。例如,在安全虚拟机加载应用程序之前,安全虚拟机需要依次加载系统信息,进而在完成系统信息的依次加载后,安全虚拟机再加载应用程序的信息(应用程序的信息例如应用程序的文件信息)。相应的,在安全虚拟机的运行过程中,安全虚拟机依次加载的程序运行相关信息可以包括:安全虚拟机加载应用程序之前所依次加载的系统信息、以及安全虚拟机加载的应用程序的信息。The program execution-related information used to run the application program may be information related to the application program execution, for example, information on which the application program execution depends (for example, system information on which the application program execution depends), and application program information. As an optional implementation, during the running process of the secure virtual machine, the program execution-related information used by the secure virtual machine to run the application may include: the program execution-related information loaded sequentially by the secure virtual machine, wherein the program execution-related information loaded next time Information is loaded based on the information related to the last loaded program running. For example, before the secure virtual machine loads an application, the secure virtual machine needs to load system information in sequence, and after completing the sequential loading of system information, the secure virtual machine then loads application information (application information such as application file information ). Correspondingly, during the running process of the secure virtual machine, the information related to the running of programs loaded by the secure virtual machine in sequence may include: system information loaded in sequence before the secure virtual machine loads the application program, and information of the application program loaded by the secure virtual machine.
在一些实施例中,安全虚拟机作为具有操作系统、能够运行应用程序的机密计算环境,安全虚拟机运行固件之后,固件可以检测硬盘,从硬盘中动态加载并运行安全虚拟机的操作系统内核;安全虚拟机的操作系统内核加载完成并开始运行后,操作系统内核加载应用程序加载器(APP Loader);应用程序加载器加载完成并运行后,应用程序加载器动态的加载应用程序并运行。In some embodiments, the secure virtual machine serves as a confidential computing environment with an operating system and capable of running applications. After the secure virtual machine runs firmware, the firmware can detect the hard disk, dynamically load and run the operating system kernel of the secure virtual machine from the hard disk; After the operating system kernel of the secure virtual machine is loaded and starts running, the operating system kernel loads the application loader (APP Loader); after the application loader is loaded and runs, the application loader dynamically loads the application and runs it.
在此基础上,作为可选实现,应用程序加载器可以集成在安全虚拟机的initramfs中。也就是说,在本申请实施例中,安全虚拟机的固件代码运行后,固件加载操作系统内核;操作系统内核加载完成并开始运行后,内核运行并加载initramfs,initramfs中集成有应用程序加载器,应用程序加载器加载应用程序并运行,以实现安全虚拟机运行应用程序。On this basis, as an optional implementation, the application loader can be integrated in the initramfs of the secure virtual machine. That is to say, in the embodiment of this application, after the firmware code of the secure virtual machine is run, the firmware loads the operating system kernel; after the operating system kernel is loaded and starts running, the kernel runs and loads the initramfs, which is integrated with the application loader. , the application loader loads the application and runs it to enable a secure virtual machine to run the application.
需要说明的是,安全虚拟机的initramfs为安全虚拟机的初始RAM(Random AccessMemory,随机存取存储器)文件系统。initramfs是硬盘文件系统挂载之前,操作系统内核使用的文件系统;initramfs作为独立的文件,其主要功能是完成操作系统内核初始化流程,比如,在安全虚拟机运行流程中,操作系统内核完成初始化之后会挂载硬盘,此时可以从initramfs切换到硬盘的文件系统,从而后续能够使得虚拟机运行硬盘中的应用程序。也就是说,在安全虚拟机加载硬盘文件系统之前,initramfs允许安全虚拟机的操作系统内核进行一些必要的初始化工作,例如,加载驱动程序、配置系统、挂载硬盘文件系统等。It should be noted that the initramfs of the secure virtual machine is the initial RAM (Random Access Memory) file system of the secure virtual machine. initramfs is the file system used by the operating system kernel before the hard disk file system is mounted; as an independent file, the main function of initramfs is to complete the operating system kernel initialization process. For example, in the secure virtual machine running process, after the operating system kernel completes the initialization The hard disk will be mounted. At this time, you can switch from initramfs to the file system of the hard disk, so that the virtual machine can subsequently run the application in the hard disk. In other words, before the secure virtual machine loads the hard disk file system, initramfs allows the operating system kernel of the secure virtual machine to perform some necessary initialization work, such as loading drivers, configuring the system, mounting the hard disk file system, etc.
本申请实施例将应用程序加载器集成在initramfs中,可以保证应用程序加载器的安全性,从而安全虚拟机可通过initramfs中的应用程序加载器提供的接口运行应用程序,保障本申请实施例在度量应用程序的相关信息时的安全性。The embodiment of this application integrates the application loader into initramfs, which can ensure the security of the application loader, so that the secure virtual machine can run the application through the interface provided by the application loader in initramfs, ensuring that the embodiment of this application can Security when measuring information about applications.
在initramfs集成应用程序加载器的情况下,作为可选实现,安全虚拟机加载应用程序之前所依次加载的系统信息可以包括:安全虚拟机加载的操作系统内核的信息(例如操作系统内核的文件信息)、操作系统内核加载的initramfs的信息(例如initramfs的文件信息);相应的,安全虚拟机加载的应用程序的信息可以包括:initramfs中的应用程序加载器所加载的应用程序的信息(例如应用程序的文件信息)。In the case of the initramfs integrated application loader, as an optional implementation, the system information sequentially loaded before the secure virtual machine loads the application may include: information of the operating system kernel loaded by the secure virtual machine (such as file information of the operating system kernel) ), the information of the initramfs loaded by the operating system kernel (such as the file information of the initramfs); correspondingly, the information of the application loaded by the secure virtual machine may include: the information of the application loaded by the application loader in the initramfs (such as the application program file information).
在一个实现示例中,安全虚拟机在运行固件代码之后,固件在加载操作系统内核的信息时,安全虚拟机可以调用安全处理器的命令(例如通过固件接口,调用安全处理器的LAUNCH LOAD DATA命令),通知安全处理器更新操作系统内核的信息;安全虚拟机的操作系统内核在加载initramfs的信息时,安全虚拟机可以调用安全处理器的命令(例如通过固件接口,调用安全处理器的LAUNCH LOAD DATA命令),通知安全处理更新initramfs的信息;安全虚拟机的initramfs中集成的应用程序加载器在加载应用程序的信息时,安全虚拟机可以调用安全处理器的命令(例如通过固件接口,调用安全处理器的LAUNCH LOAD DATA命令),通知安全处理更新应用程序的信息。In an implementation example, after the secure virtual machine runs the firmware code and the firmware loads the information of the operating system kernel, the secure virtual machine can call the security processor's command (for example, through the firmware interface, call the security processor's LAUNCH LOAD DATA command ), notifies the security processor to update the information of the operating system kernel; when the operating system kernel of the security virtual machine loads the initramfs information, the security virtual machine can call the security processor's command (for example, through the firmware interface, call the security processor's LAUNCH LOAD DATA command), notifies the security process to update the initramfs information; when the application loader integrated in the initramfs of the security virtual machine loads the application information, the security virtual machine can call the security processor's command (for example, through the firmware interface, call the security LAUNCH LOAD DATA command of the processor), notifying the secure processing of updated application information.
在另一些实施例中,安全虚拟机运行的应用程序可以通过容器封装,也就是说,容器作为封装应用程序的一种轻量级技术,可以将应用程序及其依赖项打包为独立的单元,以便在不同平台和环境中进行部署、运行和管理。在一个示例中,容器例如kata容器;相比于传统容器,kata容器能够提供更强的安全隔离特性,例如,网络、输入/输出和内存的隔离。In other embodiments, applications run by secure virtual machines can be packaged through containers. That is to say, containers, as a lightweight technology for packaging applications, can package applications and their dependencies into independent units. To deploy, run and manage across different platforms and environments. In one example, the container is a kata container; compared to traditional containers, the kata container can provide stronger security isolation features, such as network, input/output, and memory isolation.
在应用程序通过容器封装的情况下,应用程序的信息可以通过容器的信息进行表达(容器的信息例如容器镜像的信息,比如容器镜像的文件信息)。相应的,容器agent(代理)可以作为应用程序加载器的一种形式,容器agent例如kata agent;其中,容器agent(例如kata agent)负责在虚拟机内部管理容器(例如kata容器)的生命周期。进一步的,为保障加载容器的容器agent的安全性,容器agent可以集成在initramfs中。基于此,安全虚拟机加载应用程序之前所依次加载的系统信息可以包括:安全虚拟机加载的操作系统内核的信息、操作系统内核加载的initramfs的信息,initramfs集成有容器agent;相应的,安全虚拟机加载的应用程序的信息可以包括:initramfs中的容器agent所加载的容器的信息(例如容器镜像的文件信息)。When an application is encapsulated through a container, the application information can be expressed through the container information (container information such as container image information, such as container image file information). Correspondingly, the container agent (agent) can be used as a form of application loader, and the container agent (such as kata agent) is responsible for managing the life cycle of the container (such as kata container) inside the virtual machine. Furthermore, in order to ensure the security of the container agent that loads the container, the container agent can be integrated in the initramfs. Based on this, the system information loaded in sequence before the secure virtual machine loads the application can include: the information of the operating system kernel loaded by the secure virtual machine, the information of the initramfs loaded by the operating system kernel, and the initramfs is integrated with the container agent; accordingly, the secure virtual machine Information about machine-loaded applications may include: information about containers loaded by the container agent in the initramfs (such as file information of container images).
在一个实现示例中,安全虚拟机在运行固件代码之后,固件在加载操作系统内核的信息时,安全虚拟机可以调用安全处理器的命令(例如通过固件接口,调用安全处理器的LAUNCH LOAD DATA命令),通知安全处理器更新操作系统内核的信息;安全虚拟机的操作系统内核在加载initramfs的信息时,安全虚拟机可以调用安全处理器的命令(例如通过固件接口,调用安全处理器的LAUNCH LOAD DATA命令),通知安全处理器更新initramfs的信息;安全虚拟机的initramfs中集成的容器agent在加载容器的信息时,安全虚拟机可以调用安全处理器的命令(例如通过固件接口,调用安全处理器的LAUNCH LOAD DATA命令),通知安全处理器更新容器的信息。In an implementation example, after the secure virtual machine runs the firmware code and the firmware loads the information of the operating system kernel, the secure virtual machine can call the security processor's command (for example, through the firmware interface, call the security processor's LAUNCH LOAD DATA command ), notifies the security processor to update the information of the operating system kernel; when the operating system kernel of the security virtual machine loads the initramfs information, the security virtual machine can call the security processor's command (for example, through the firmware interface, call the security processor's LAUNCH LOAD DATA command), notify the security processor to update the initramfs information; when the container agent integrated in the initramfs of the security virtual machine loads the container information, the security virtual machine can call the security processor command (for example, through the firmware interface, call the security processor LAUNCH LOAD DATA command), notifies the security processor to update the container's information.
在步骤S414中,安全处理器对安全虚拟机用于运行应用程序的程序运行相关信息进行度量,确定安全虚拟机运行时的程序运行度量结果。In step S414, the security processor measures the program execution-related information used by the security virtual machine to run the application program, and determines the program execution measurement result when the security virtual machine is running.
作为可选实现,安全虚拟机在运行时,可以依次加载程序运行相关信息,从而安全处理器可以在安全虚拟机依次加载程序运行相关信息的过程中,对安全虚拟机每次加载的程序运行相关信息进行度量,以得到安全虚拟机运行时的程序运行度量结果;其中,所述程序运行度量结果结合有安全虚拟机每次加载的程序运行相关信息的度量结果。As an optional implementation, when the secure virtual machine is running, it can sequentially load program execution-related information, so that the security processor can process the program execution-related information loaded by the secure virtual machine each time during the process of the secure virtual machine sequentially loading program execution-related information. The information is measured to obtain the program running measurement result when the secure virtual machine is running; wherein the program running measurement result is combined with the measurement result of the program running related information loaded by the secure virtual machine each time.
在一些实施例中,本申请实施例可以对每次加载的程序运行相关信息分别进行度量,并将每次加载的程序运行相关信息的度量结果进行结合,从而得到程序运行度量结果。例如,在安全虚拟机每加载一次程序运行相关信息时,对加载的程序运行相关信息进行度量,进而在安全虚拟机加载完成程序运行相关信息时,将各次加载的程序运行相关信息的度量结果进行结合,得到程序运行度量结果。In some embodiments, the embodiments of the present application can separately measure the program running-related information loaded each time, and combine the measurement results of the program running-related information loaded each time to obtain the program running measurement results. For example, each time the secure virtual machine loads program execution-related information, the loaded program execution-related information is measured, and then when the secure virtual machine completes loading the program execution-related information, the measurement results of the program execution-related information loaded each time are measured. Combined to obtain program running measurement results.
在另一些实施例中,安全处理器可以对安全虚拟机依次加载的程序运行相关信息进行迭代的度量,从而得到安全虚拟机运行时的程序运行度量结果。对依次加载的程序运行相关信息进行迭代的度量是指:在每次加载程序运行相关信息时,度量该程序运行相关信息,并且将该程序运行相关信息的度量结果与已得到的度量结果进行结合度量。In other embodiments, the security processor may iteratively measure program execution-related information sequentially loaded by the secure virtual machine, thereby obtaining program execution measurement results when the secure virtual machine is running. The measurement of iteratively loading program running-related information means: each time the program running-related information is loaded, the program running-related information is measured, and the measurement results of the program running-related information are combined with the obtained measurement results. measure.
在一个示例中,以对两次加载的程序运行相关信息进行迭代度量为例,在第一次加载程序运行相关信息时,可以对第一次加载的程序运行相关信息进行度量,得到第一次加载的程序运行相关信息的度量结果;在第二次加载程序运行相关信息时,可以对第二次加载的程序运行相关信息进行度量,并将第二次加载的程序运行相关信息度量结果与已得到的度量结果(例如已得到的第一次加载的程序运行相关信息的度量结果)进行结合度量。In one example, take the iterative measurement of program running-related information loaded twice as an example. When the program running-related information is loaded for the first time, the program running-related information loaded for the first time can be measured, and the first time the program running-related information can be measured. The measurement results of the information related to the running of the loaded program; when the information related to the running of the program is loaded for the second time, the information related to the running of the program loaded for the second time can be measured, and the measurement results of the information related to the running of the program loaded for the second time are compared with the information that has been loaded for the second time. The obtained measurement results (for example, the measurement results of the obtained information related to the running of the program loaded for the first time) are combined and measured.
需要说明的是,对于操作系统内核的信息、initramfs的信息、应用程序的信息等程序运行相关信息而言,程序运行相关信息是作为独立的文件存在(例如操作系统内核的信息、initramfs的信息、应用程序的信息是分别作为独立的文件),因此在依次加载程序运行相关信息的过程中,为体现依次加载的程序运行相关信息整体的度量结果,本申请实施例可以对依次加载的程序运行相关信息进行迭代的度量,从而使用下一次加载的程序运行相关信息的度量结果,更新已得到的度量结果。It should be noted that for program running-related information such as operating system kernel information, initramfs information, and application program information, program running-related information exists as independent files (such as operating system kernel information, initramfs information, The information of the application program is treated as an independent file). Therefore, in the process of sequentially loading the program execution-related information, in order to reflect the overall measurement results of the sequentially loaded program execution-related information, the embodiment of the present application can calculate the sequentially loaded program execution-related information. The information is iteratively measured, so that the measurement results of the relevant information used in the next loaded program run are used to update the obtained measurement results.
作为对安全虚拟机依次加载的程序运行相关信息进行迭代的度量的可选实现,在安全虚拟机当前加载的程序运行相关信息为首次加载的程序运行相关信息时(首次加载的程序运行相关信息例如操作系统内核的信息),安全处理器可以将当前加载的程序运行相关信息的度量结果,作为当前加载所对应的度量结果;As an optional implementation of measurement for iterating the program execution-related information loaded sequentially by the secure virtual machine, when the program execution-related information currently loaded by the secure virtual machine is the program execution-related information loaded for the first time (the program execution-related information loaded for the first time is, for example, Operating system kernel information), the security processor can use the measurement results of the currently loaded program execution-related information as the measurement results corresponding to the current loading;
在安全虚拟机当前加载的程序运行相关信息为非首次加载的程序运行相关信息时,安全处理器可以将当前加载的程序运行相关信息的度量结果,与上一次加载所对应的度量结果进行结合度量,得到当前加载所对应的度量结果;When the information related to the running of the program currently loaded by the security virtual machine is the information related to the running of the program that is not loaded for the first time, the security processor can combine the measurement results of the information related to the running of the currently loaded program with the measurement results corresponding to the last load. , get the measurement results corresponding to the current load;
从而,最后一次加载所对应的度量结果作为安全虚拟机运行时的程序运行度量结果。Therefore, the measurement result corresponding to the last load is used as the program running measurement result when the secure virtual machine is running.
一方面,作为可选实现,基于系统信息可以包括安全虚拟机加载的操作系统内核的信息、操作系统内核加载的initramfs的信息(initramfs集成应用程序加载器),安全处理器可以在安全虚拟机通知更新操作系统内核的信息时,对操作系统内核的信息进行度量,从而确定操作系统内核的度量结果;安全处理器可以在安全虚拟机通知更新initramfs的信息时,对initramfs的信息进行度量,从而确定initramfs的度量结果,并将initramfs的度量结果与操作系统内核的度量结果进行结合度量,得到中间度量结果;安全处理器可以在安全虚拟机通知更新应用程序的信息时,对应用程序的信息进行度量,从而确定应用程序的度量结果,并将应用程序的度量结果与中间度量结果进行结合度量,得到安全虚拟机运行时的程序运行度量结果。On the one hand, as an optional implementation, based on the system information, it can include information about the operating system kernel loaded by the secure virtual machine and information about the initramfs loaded by the operating system kernel (initramfs integrated application loader). The security processor can notify the secure virtual machine when When updating the information of the operating system kernel, the information of the operating system kernel is measured to determine the measurement result of the operating system kernel; when the security virtual machine notifies the information of the initramfs to be updated, the security processor can measure the information of the initramfs to determine the The measurement results of the initramfs are combined with the measurement results of the operating system kernel to obtain the intermediate measurement results; the security processor can measure the application information when the security virtual machine notifies the application to update the information. , thereby determining the measurement results of the application, and combining the measurement results of the application with the intermediate measurement results to obtain the program running measurement results when the secure virtual machine is running.
相应的,安全虚拟机运行时的程序运行度量结果为:中间度量结果与应用程序的度量结果结合度量之后,所得到的度量结果;其中,中间度量结果为操作系统内核的度量结果与initramfs的度量结果结合度量之后,所得到的度量结果。Correspondingly, the program running measurement result when the secure virtual machine is running is: the measurement result obtained after combining the intermediate measurement result and the application measurement result; where the intermediate measurement result is the measurement result of the operating system kernel and the measurement result of the initramfs After the results are combined with the measurement, the measurement result is obtained.
另一方面,作为可选实现,在应用程序通过容器封装的情况下,基于系统信息可以包括安全虚拟机加载的操作系统内核的信息、操作系统内核加载的initramfs的信息(initramfs集成容器agent),安全处理器可以在安全虚拟机通知更新操作系统内核的信息时,对操作系统内核的信息进行度量,从而确定操作系统内核的度量结果;安全处理器可以在安全虚拟机通知更新initramfs的信息时,对initramfs的信息进行度量,从而确定initramfs的度量结果,并将initramfs的度量结果与操作系统内核的度量结果进行结合度量,得到中间度量结果;安全处理器可以在安全虚拟机通知更新容器的信息时,对容器的信息进行度量(例如对容器的镜像信息进行度量),从而确定容器的度量结果,并将容器的度量结果与中间度量结果进行结合度量,得到安全虚拟机运行时的程序运行度量结果。On the other hand, as an optional implementation, when the application is packaged through a container, the system information can include information about the operating system kernel loaded by the secure virtual machine and information about the initramfs loaded by the operating system kernel (initramfs integrated container agent). The security processor can measure the information of the operating system kernel when the security virtual machine notifies the information to update the operating system kernel, thereby determining the measurement results of the operating system kernel; the security processor can measure the information of the initramfs when the security virtual machine notifies the update. Measure the information of the initramfs to determine the measurement results of the initramfs, and combine the measurement results of the initramfs with the measurement results of the operating system kernel to obtain the intermediate measurement results; the security processor can update the container information when the security virtual machine notifies , measure the information of the container (for example, measure the image information of the container) to determine the measurement results of the container, and combine the measurement results of the container with the intermediate measurement results to obtain the program running measurement results when the secure virtual machine is running. .
相应的,安全虚拟机运行时的程序运行度量结果为:中间度量结果与容器的度量结果结合度量之后,所得到的度量结果。Correspondingly, the program running measurement result when the secure virtual machine is running is: the measurement result obtained by combining the intermediate measurement result with the container measurement result.
在进一步的可选实现中,安全处理器在得到安全虚拟机启动时的启动度量结果、以及安全虚拟机运行时的程序运行度量结果后,可以保存启动度量结果和程序运行度量结果;例如,将启动度量结果和程序运行度量结果保存到安全处理器的固件中。进而,在需要进行机密计算认证时,安全处理器可以将保存的启动度量结果和程序运行度量结果更新到证明报告中,以使得启动度量结果和程序运行度量结果可用于机密计算环境认证。In a further optional implementation, after obtaining the startup measurement results when the secure virtual machine is started and the program running measurement results when the secure virtual machine is running, the security processor can save the startup measurement results and the program running measurement results; for example, Startup metrics and program execution metrics are saved to the security processor's firmware. Furthermore, when confidential computing authentication is required, the security processor can update the saved startup metric results and program running metric results into the attestation report, so that the startup metric results and the program running metric results can be used for confidential computing environment authentication.
本申请实施例提供的虚拟机度量方法可由安全处理器执行,在机密计算环境以安全虚拟机为单位构建的情况下,安全处理器可以通过创建安全虚拟机,以完成安全虚拟机的启动,从而在安全处理器创建安全虚拟机的过程中,安全处理器可以对安全虚拟机进行度量,确定安全虚拟机启动时的启动度量结果;在安全虚拟机启动后,安全虚拟机进入运行阶段,在安全虚拟机的运行过程中,安全虚拟机可以通过加载用于运行应用程序的程序运行相关信息,从而实现应用程序在安全虚拟机的运行;进而,安全处理器可以在安全虚拟机的运行过程中,对安全虚拟机用于运行应用程序的程序运行相关信息进行度量,确定安全虚拟机运行时的程序运行度量结果。The virtual machine measurement method provided by the embodiment of the present application can be executed by the security processor. When the confidential computing environment is built in units of security virtual machines, the security processor can complete the startup of the security virtual machine by creating a security virtual machine, thereby In the process of the security processor creating a security virtual machine, the security processor can measure the security virtual machine and determine the startup measurement results when the security virtual machine is started; after the security virtual machine is started, the security virtual machine enters the running phase. During the operation of the virtual machine, the secure virtual machine can load the program execution-related information used to run the application, thereby enabling the application to run in the secure virtual machine; furthermore, the security processor can, during the operation of the secure virtual machine, Measure program running related information used by the secure virtual machine to run applications, and determine program running measurement results when the secure virtual machine is running.
可见,在本申请实施例中,安全处理器可以在创建安全虚拟机的过程中,确定安全虚拟机启动时的启动度量结果,以及在安全虚拟机的运行过程中,确定安全虚拟机运行时的程序运行度量结果,提升虚拟机度量的结果全面性。安全处理器所确定的启动度量结果和程序运行度量结果可用于机密计算环境认证,为机密计算环境认证能够认证安全虚拟机的合法性、以及安全虚拟机运行的应用程序的合法性提供基础,从而为提升机密计算认证的全面性提供基础。It can be seen that in the embodiment of the present application, the security processor can determine the startup measurement results when the security virtual machine is started during the process of creating the security virtual machine, and determine the startup measurement results when the security virtual machine is running during the running process of the security virtual machine. Program running measurement results improve the comprehensiveness of virtual machine measurement results. The startup metric results and program running metric results determined by the security processor can be used for confidential computing environment certification, providing a basis for confidential computing environment certification to verify the legitimacy of the secure virtual machine and the legitimacy of the applications running on the secure virtual machine, thereby Provide a basis for improving the comprehensiveness of confidential computing certification.
以安全虚拟机依次加载操作系统内核、initramfs、应用程序为例,作为可选实现,图5示例性的示出了本申请实施例提供的虚拟机度量方法的另一可选流程图,参照图5,该方法流程可以包括如下步骤。Taking the secure virtual machine sequentially loading the operating system kernel, initramfs, and applications as an example, as an optional implementation, Figure 5 exemplarily shows another optional flow chart of the virtual machine measurement method provided by the embodiment of the present application. Refer to Figure 5. The method flow may include the following steps.
在步骤S510中,主机系统软件调用安全处理器的LAUNCH START命令。In step S510, the host system software calls the LAUNCH START command of the security processor.
在步骤S511中,主机系统软件调用安全处理器的LAUNCH UPDATE DATA命令。In step S511, the host system software calls the LAUNCH UPDATE DATA command of the security processor.
在步骤S512中,安全处理器利用SM3算法计算安全虚拟机的固件信息的度量值,得到安全虚拟机启动时的启动度量结果。In step S512, the security processor uses the SM3 algorithm to calculate the metric value of the firmware information of the secure virtual machine, and obtains the startup metric result when the secure virtual machine is started.
安全处理器基于LAUNCH UPDATE DATA命令,可以调取安全虚拟机的固件信息,对安全虚拟机的固件信息进行加密,并且加密后的固件信息加载到安全虚拟机的虚拟机内存,以实现创建安全虚拟机。在上述过程中,安全处理器可对调取的安全虚拟机的固件信息进行度量,例如,使用SM3算法计算安全虚拟机的固件信息的度量值,从而得到安全虚拟机启动时的启动度量结果。在一个示例中,设启动度量结果为d1,则d1=SM3(安全虚拟机的固件信息)。Based on the LAUNCH UPDATE DATA command, the security processor can retrieve the firmware information of the secure virtual machine, encrypt the firmware information of the secure virtual machine, and load the encrypted firmware information into the virtual machine memory of the secure virtual machine to create a secure virtual machine. machine. In the above process, the security processor can measure the firmware information of the secured virtual machine that is retrieved. For example, the SM3 algorithm is used to calculate the measurement value of the firmware information of the secure virtual machine, thereby obtaining the startup measurement result when the secure virtual machine is started. In an example, assuming that the startup measurement result is d1, then d1=SM3 (firmware information of the secure virtual machine).
在步骤S513中,主机系统软件调用安全处理器的LAUNCH FINISH命令。In step S513, the host system software calls the LAUNCH FINISH command of the security processor.
在步骤S514中,主机系统软件调用安全虚拟机的VM RUN指令。In step S514, the host system software calls the VM RUN instruction of the secure virtual machine.
在步骤S515中,安全虚拟机的固件加载操作系统内核的信息。In step S515, the firmware of the secure virtual machine loads the information of the operating system kernel.
在步骤S516中,安全虚拟机调用安全处理器的LAUNCH LOAD DATA命令,通知安全处理器更新操作系统内核的信息。In step S516, the security virtual machine calls the LAUNCH LOAD DATA command of the security processor to notify the security processor to update the information of the operating system kernel.
在步骤S517中,安全处理器使用SM3算法计算操作系统内核的信息的度量值,得到操作系统内核的度量值。In step S517, the security processor uses the SM3 algorithm to calculate the metric value of the information of the operating system kernel, and obtains the metric value of the operating system kernel.
在一个实现示例中,设操作系统内核的度量值为d21,则d21=SM3(操作系统内核的信息)。In an implementation example, assuming that the metric value of the operating system kernel is d21, then d21=SM3 (information of the operating system kernel).
在步骤S518中,安全虚拟机的操作系统内核加载initramfs的信息。In step S518, the operating system kernel of the secure virtual machine loads the initramfs information.
在步骤S519中,安全虚拟机调用安全处理器的LAUNCH LOAD DATA命令,通知安全处理器更新initramfs的信息。In step S519, the security virtual machine calls the LAUNCH LOAD DATA command of the security processor to notify the security processor to update the initramfs information.
在步骤S520中,安全处理器使用SM3算法计算initramfs的信息的度量值,得到initramfs的度量值,使用SM3算法计算initramfs的度量值与操作系统内核的度量值的度量值,得到中间度量值。In step S520, the security processor uses the SM3 algorithm to calculate the metric value of the initramfs information to obtain the metric value of the initramfs, and uses the SM3 algorithm to calculate the metric value of the initramfs metric value and the metric value of the operating system kernel to obtain the intermediate metric value.
在一个实现示例中,设initramfs的度量值为d22,则d22=SM3(initramfs的信息)。进一步的,中间度量值可以表示为:SM3(d21,d22),即SM3(SM3(操作系统内核的信息),SM3(initramfs的信息))。In an implementation example, assuming the metric value of initramfs is d22, then d22=SM3 (initramfs information). Further, the intermediate metric value can be expressed as: SM3(d21, d22), that is, SM3(SM3 (information of the operating system kernel), SM3 (information of initramfs)).
在步骤S521中,安全虚拟机的initramfs中集成的应用程序加载器,加载应用程序的信息。In step S521, the application loader integrated in the initramfs of the secure virtual machine loads application information.
在步骤S522中,安全虚拟机调用安全处理器的LAUNCH LOAD DATA命令,通知安全处理器更新应用程序的信息。In step S522, the security virtual machine calls the LAUNCH LOAD DATA command of the security processor to notify the security processor to update the application information.
在步骤S523中,安全处理器使用SM3算法计算应用程序的信息的度量值,得到应用程序的度量值,使用SM3算法计算应用程序的度量值与中间度量值的度量值,得到程序运行度量结果。In step S523, the security processor uses the SM3 algorithm to calculate the metric value of the application program information to obtain the metric value of the application program, and uses the SM3 algorithm to calculate the metric value of the application program metric value and the intermediate metric value to obtain the program running metric value.
在一个实现示例中,设应用程序的度量值为d23,则d23=SM3(应用程序的信息)。进一步的,设程序运行度量结果为d2,则d2可以表示为:SM3(中间度量值,SM3(应用程序的信息)),即SM3(SM3(SM3(操作系统内核的信息),SM3(initramfs的信息)),SM3(应用程序的信息))。In an implementation example, assuming that the metric value of the application is d23, then d23=SM3 (information about the application). Further, assuming that the program running measurement result is d2, then d2 can be expressed as: SM3 (intermediate measurement value, SM3 (application information)), that is, SM3 (SM3 (SM3 (operating system kernel information), SM3 (initramfs information) Message)), SM3 (Application Message)).
可以看出,在对安全虚拟机依次加载的程序运行相关信息进行迭代的度量的过程中,安全处理器是使用当前加载的程序运行相关信息的度量结果,与已得到的度量结果进行结合度量,从而实现更新已得到的度量结果;进而基于最后一次加载的程序运行相关信息的度量结果,更新已得到的度量结果后,可得到程序运行度量结果。It can be seen that in the process of iterative measurement of the program running related information loaded sequentially by the security virtual machine, the security processor uses the measurement results of the currently loaded program running related information and combines the measurement results with the obtained measurement results. Thus, the obtained measurement results are updated; and based on the measurement results of the last loaded program running related information, after updating the obtained measurement results, the program running measurement results can be obtained.
作为替代实现,在应用程序通过容器封装的情况下,步骤S521至步骤S523可以替代为:安全虚拟机的initramfs中集成的容器agent,加载容器的信息;安全虚拟机调用安全处理器的LAUNCH LOAD DATA命令,通知安全处理器更新容器的信息;安全处理器使用SM3算法计算容器的信息的度量值,得到容器的度量值,使用SM3算法计算容器的度量值与中间度量值的度量值,得到程序运行度量结果。在一个实现示例中,程序运行度量结果d2可以表示为:SM3(中间度量值,SM3(容器的信息)),即SM3(SM3(SM3(操作系统内核的信息),SM3(initramfs的信息)),SM3(容器的信息))。As an alternative implementation, when the application is packaged through a container, steps S521 to S523 can be replaced by: the container agent integrated in the initramfs of the secure virtual machine loads the container information; the secure virtual machine calls LAUNCH LOAD DATA of the security processor command to notify the security processor to update the container's information; the security processor uses the SM3 algorithm to calculate the metric value of the container's information to obtain the metric value of the container, and uses the SM3 algorithm to calculate the metric value of the container's metric value and the intermediate metric value to obtain the program running Measure results. In an implementation example, the program running measurement result d2 can be expressed as: SM3 (intermediate measurement value, SM3 (container information)), that is, SM3 (SM3 (SM3 (operating system kernel information), SM3 (initramfs information))) , SM3 (container information)).
在进一步的可选实现中,安全虚拟机在运行应用程序时,应用程序可能会加载配置信息,本申请实施例也可以结合考虑配置信息的度量结果,来确定程序运行度量结果。例如,在安全虚拟机运行应用程序时,如果应用程序加载了配置信息,则安全处理器可以对配置信息进行度量(比如,安全虚拟机可以在应用程序加载配置信息时,调用安全处理器的LAUNCH LOAD DATA命令,通知安全处理器更新配置信息,从而安全处理器可对配置信息进行度量),得到配置信息的度量结果;进而,将配置信息的度量结果与已得到的程序运行度量结果进行结合度量,得到更新后的程序运行度量结果。更新后的程序运行度量结果可以替代已得到的程序运行度量结果,用于机密计算环境认证;比如,更新后的程序运行度量结果替代已得到的程序运行度量结果,并结合启动度量结果,用于在机密计算环境认证时,认证机密计算环境的合法性。In a further optional implementation, when the secure virtual machine runs an application, the application may load configuration information. The embodiment of the present application may also determine the program running measurement results in combination with measurement results that consider the configuration information. For example, when the security virtual machine runs an application, if the application loads configuration information, the security processor can measure the configuration information (for example, the security virtual machine can call the security processor's LAUNCH when the application loads configuration information. The LOAD DATA command notifies the security processor to update the configuration information, so that the security processor can measure the configuration information) and obtain the measurement results of the configuration information; then, the measurement results of the configuration information are combined with the obtained program running measurement results. , get the updated program running measurement results. The updated program running metric results can replace the already obtained program running metric results for confidential computing environment certification; for example, the updated program running metric results replace the already obtained program running metric results, and combined with the startup metric results, can be used for When certifying the confidential computing environment, verify the legality of the confidential computing environment.
基于上述说明,进一步结合图5所示,图5所示流程还可以包括以下步骤。Based on the above description, further combined with what is shown in Figure 5 , the process shown in Figure 5 may also include the following steps.
在步骤S524中,安全虚拟机的应用程序加载配置信息。In step S524, the application program of the secure virtual machine loads configuration information.
在步骤S525中,安全虚拟机调用安全处理器的LAUNCH LOAD DATA命令,通知安全处理器更新配置信息。In step S525, the security virtual machine calls the LAUNCH LOAD DATA command of the security processor to notify the security processor to update the configuration information.
在步骤S526中,安全处理器使用SM3算法计算配置信息的度量值,使用SM3算法计算配置信息的度量值与已得到的程序运行度量结果的度量值,得到更新后的程序运行度量结果。In step S526, the security processor uses the SM3 algorithm to calculate the metric value of the configuration information, uses the SM3 algorithm to calculate the metric value of the configuration information and the metric value of the obtained program running metric result, and obtains the updated program running metric result.
在一个实现示例中,设配置信息的度量值为d24,则d24=SM3(配置信息)。进一步的,更新后的程序运行度量结果可以表示为d2(更新),d2(更新)=SM3(d2,SM3(配置信息))。在进一步的可选实现中,更新后的程序运行度量结果和启动度量结果可保存在安全处理器的固件中。In an implementation example, assuming that the metric value of configuration information is d24, then d24=SM3 (configuration information). Further, the updated program running measurement result can be expressed as d2 (updated), d2 (updated) = SM3 (d2, SM3 (configuration information)). In a further optional implementation, updated program execution metrics and startup metrics may be saved in the secure processor's firmware.
需要说明的是,在上述图5所示流程中,安全虚拟机在调用安全处理器的LAUNCHLOAD DATA命令,通知安全处理器更新相关信息时,可以通过安全虚拟机的固件接口实现。例如,在安全虚拟机的固件中增加与LAUNCH LOAD DATA命令相应的固件接口,从而在安全虚拟机加载程序运行相关信息时,安全虚拟机可以通过LAUNCH LOAD DATA命令相应的固件接口,调用安全处理器的LAUNCH LOAD DATA,以通知安全处理器更新安全虚拟机加载的程序运行相关信息,使得安全处理器度量安全虚拟机加载的程序运行相关信息。It should be noted that in the process shown in Figure 5 above, when the security virtual machine calls the LAUNCHLOAD DATA command of the security processor to notify the security processor to update relevant information, it can be implemented through the firmware interface of the security virtual machine. For example, add a firmware interface corresponding to the LAUNCH LOAD DATA command in the firmware of the secure virtual machine, so that when the secure virtual machine loads the program to run relevant information, the secure virtual machine can call the security processor through the firmware interface corresponding to the LAUNCH LOAD DATA command. LAUNCH LOAD DATA to notify the security processor to update information related to the running of programs loaded by the security virtual machine, so that the security processor measures information related to the running of programs loaded by the security virtual machine.
需要说明的是,应用程序的信息表示的是应用程序的文件信息,应用程序的文件信息用于文件的管理、版本控制、构建和部署过程中的文件操作等,而应用程序加载的配置信息用于在应用程序运行时加载并应用相应的配置,控制应用程序的行为和特性。因此,在以安全虚拟机为单位构建机密计算环境的情况下,至少需要通过应用程序的文件信息的度量结果,来认证应用程序的合法性。结合考虑应用程序运行后所加载的配置信息,来得到程序运行度量结果,可以使得应用程序的度量更为全面,从而进一步提升虚拟机度量结果的全面性。It should be noted that the application information represents the file information of the application. The file information of the application is used for file management, version control, file operations during the build and deployment process, etc., while the configuration information loaded by the application is used. It is used to load and apply the corresponding configuration when the application is running, controlling the behavior and characteristics of the application. Therefore, when building a confidential computing environment in units of secure virtual machines, it is necessary to at least verify the legitimacy of the application through the measurement results of the application's file information. Combining the configuration information loaded after the application is run to obtain the program running measurement results can make the application measurement more comprehensive, thereby further improving the comprehensiveness of the virtual machine measurement results.
本申请实施例还提供一种机密计算认证方法,在机密计算服务端设备的安全处理器确定启动度量结果和程序运行度量结果后,如果机密计算服务端设备获取到远程证明发起端设备的报告请求,则机密计算服务端设备可以将启动度量结果和程序运行度量结果携带在机密计算环境的身份信息中,从而向远程证明发起端设备提供证明报告。作为可选实现,图6示例性的示出了本申请实施例提供的机密计算认证方法的可选流程图,如图6所示,该流程可以包括如下步骤。The embodiment of the present application also provides a confidential computing authentication method. After the security processor of the confidential computing server device determines the startup measurement result and the program running measurement result, if the confidential computing server device obtains a report request from the remote certification initiating device, , then the confidential computing server device can carry the startup measurement results and the program running measurement results in the identity information of the confidential computing environment, thereby providing a certification report to the remote certification initiating device. As an optional implementation, Figure 6 exemplarily shows an optional flow chart of the confidential computing authentication method provided by the embodiment of the present application. As shown in Figure 6, the process may include the following steps.
在步骤S610中,远程证明发起端设备向机密计算服务端设备发送报告请求。In step S610, the remote certification initiating device sends a report request to the confidential computing server device.
相应的,机密计算服务端设备可以获取到报告请求。作为可选实现,为防止重放攻击,远程证明发起端设备可以在报告请求中携带随机数。Correspondingly, the confidential computing server device can obtain the report request. As an optional implementation, to prevent replay attacks, the remote attestation initiating device can carry a random number in the report request.
在进一步的可选实现中,远程证明发起端设备可以是数据提供方所对应的电子设备,机密计算服务端设备可以先向远程证明发起端设备请求计算数据,从而远程证明发起端设备可以基于机密计算服务端设备对于计算数据的请求,要求机密计算服务端设备证明机密计算环境的合法性,进而向机密计算服务端设备发送报告请求。In a further optional implementation, the remote certification initiating device can be an electronic device corresponding to the data provider, and the confidential computing server device can first request the calculation data from the remote certification initiating device, so that the remote certification initiating device can calculate the data based on confidentiality. The computing server device's request for computing data requires the confidential computing server device to prove the legitimacy of the confidential computing environment, and then sends a report request to the confidential computing server device.
在步骤S611中,机密计算服务端设备响应于报告请求,生成证明报告,并将安全虚拟机启动时的启动度量结果和安全虚拟机运行时的程序运行度量结果,更新到证明报告所携带的机密计算环境的身份信息中。In step S611, the confidential computing server device responds to the report request, generates a certification report, and updates the startup measurement results when the secure virtual machine starts and the program running measurement results when the security virtual machine runs to the confidentiality carried in the certification report. In the identity information of the computing environment.
作为可选实现,启动度量结果和程序运行度量结果可以基于本申请实施例提供的虚拟机度量方法得到。As an optional implementation, startup measurement results and program running measurement results can be obtained based on the virtual machine measurement method provided by the embodiments of this application.
在步骤S612中,机密计算服务端设备将证明报告发送给远程证明发起端设备。In step S612, the confidential computing server device sends the certification report to the remote certification initiating device.
机密计算服务端设备在获取到报告请求后,可以生成证明报告,并且在证明报告中填入随机数(报告请求中携带的随机数)、机密计算环境的身份信息(例如TEE的身份信息)。在本申请实施例中,机密计算服务端设备可以将安全虚拟机启动时的启动度量结果和安全虚拟机运行时的程序运行度量结果,更新到证明报告所携带的机密计算环境的身份信息中,从而使得机密计算认证可以认证安全虚拟机的合法性,以及安全虚拟机运行的应用程序的合法性。After obtaining the report request, the confidential computing server device can generate a certification report and fill in the certification report with a random number (random number carried in the report request) and the identity information of the confidential computing environment (such as the identity information of the TEE). In this embodiment of the present application, the confidential computing server device can update the startup measurement results when the secure virtual machine is started and the program running measurement results when the secure virtual machine is running, into the identity information of the confidential computing environment carried in the certification report, This allows confidential computing authentication to verify the legitimacy of the secure virtual machine and the legitimacy of the applications running on the secure virtual machine.
在进一步的可选实现中,机密计算服务端设备可以使用运行机密计算环境的芯片的芯片私钥,对证明报告进行签名;进而,将签名后的证明报告发送给远程证明发起端设备。需要说明的是,运行机密计算环境(例如TEE)的芯片可以包含有芯片私钥,不同芯片的芯片私钥不同。In a further optional implementation, the confidential computing server device can use the chip private key of the chip running the confidential computing environment to sign the attestation report; and then send the signed attestation report to the remote attestation initiating device. It should be noted that a chip running a confidential computing environment (such as a TEE) may contain a chip private key, and different chips have different chip private keys.
在可选实现中,在以安全虚拟机构建机密计算环境的情况下,报告请求可以由机密计算服务端设备的安全虚拟机接收,从而安全虚拟机可以将报告请求转发给机密计算服务端设备的安全处理器;安全处理器可以生成证明报告,并将保存的启动度量结果和程序运行度量结果(例如安全处理器的固件中保存的启动度量结果和程序运行度量结果),更新到证明报告所携带的机密计算环境的身份信息中;进而,安全处理器可以将证明报告反馈给安全虚拟机,由安全虚拟机将证明报告发送给远程证明发起端设备。In an optional implementation, where the confidential computing environment is built with a secure virtual machine, the report request can be received by the secure virtual machine of the confidential computing server device, so that the secure virtual machine can forward the report request to the secure virtual machine of the confidential computing server device. Security processor; the security processor can generate a certification report and update the saved startup measurement results and program running measurement results (such as the startup measurement results and program running measurement results saved in the firmware of the security processor) to the certification report carried in the identity information of the confidential computing environment; furthermore, the security processor can feed back the attestation report to the security virtual machine, and the security virtual machine sends the attestation report to the remote attestation initiating device.
在一个实现示例中,安全处理器在接收到安全虚拟机转发的报告请求后,可以生成证明报告,并且在证明报告中填入随机数、机密计算环境的身份信息;同时,将安全处理器的固件中保存的启动度量结果和程序运行度量结果,更新到证明报告所携带的机密计算环境的身份信息中;进而,安全处理器使用运行机密计算环境的芯片的芯片私钥,对证明报告进行签名;安全处理器将签名后的证明报告反馈给安全虚拟机,由安全虚拟机将签名后的证明报告发送给远程证明发起端设备。In an implementation example, after receiving a report request forwarded by the security virtual machine, the security processor can generate a certification report and fill in random numbers and identity information of the confidential computing environment in the certification report; at the same time, the security processor The startup measurement results and program running measurement results saved in the firmware are updated to the identity information of the confidential computing environment carried in the attestation report; furthermore, the security processor uses the chip private key of the chip running the confidential computing environment to sign the attestation report ; The security processor feeds back the signed certification report to the security virtual machine, and the security virtual machine sends the signed certification report to the remote certification initiating device.
在步骤S613中,远程证明发起端设备将证明报告发送给远程证明服务端设备。In step S613, the remote certification initiating device sends the certification report to the remote certification server device.
在步骤S614中,远程证明服务端设备认证证明报告中的机密计算环境的身份信息是否合法,生成机密计算环境的认证结果。In step S614, remotely prove whether the identity information of the confidential computing environment in the server device authentication certification report is legal, and generate an authentication result of the confidential computing environment.
在可选实现中,基于机密计算环境的身份信息携带的启动度量结果,远程证明服务端设备可以认证安全虚拟机是否合法;例如,在认证启动度量结果不合法时,视为安全虚拟机的身份不合法。基于机密计算环境的身份信息携带的程序运行度量结果,远程证明服务端设备可以认证安全虚拟机运行的应用程序是否合法;例如,在认证程序运行度量结果不合法时,视为安全虚拟机运行的应用程序不合法。如果认证安全虚拟机和安全虚拟机运行的应用程序均合法,则视为机密计算环境的身份信息合法,从而机密计算环境的认证结果可以指示机密计算环境合法。如果认证安全虚拟机或者安全虚拟机运行的应用程序不合法,则视为机密计算环境的身份信息不合法,从而机密计算环境的认证结果可以指示机密计算环境不合法。In an optional implementation, based on the startup measurement results carried by the identity information of the confidential computing environment, the remote attestation server device can authenticate whether the secure virtual machine is legitimate; for example, when the authentication startup measurement results are illegal, it is regarded as the identity of the secure virtual machine. illegal. Based on the program running measurement results carried by the identity information of the confidential computing environment, the remote attestation server device can authenticate whether the application running on the secure virtual machine is legal; for example, when the authentication program running measurement result is illegal, it is deemed to be running on the secure virtual machine. The application is illegal. If both the certified secure virtual machine and the applications running on the secure virtual machine are legitimate, the identity information of the confidential computing environment is deemed to be legitimate, so that the certification result of the confidential computing environment can indicate that the confidential computing environment is legitimate. If the certified secure virtual machine or the application running on the secure virtual machine is illegal, the identity information of the confidential computing environment is deemed to be illegal, so the authentication result of the confidential computing environment can indicate that the confidential computing environment is illegal.
作为实现示例,安全虚拟机不合法可以是安全虚拟机加载的固件信息不合法。在一个实现示例中,安全虚拟机运行的应用程序不合法可能是安全虚拟机加载的操作系统内核、操作系统内核加载的initramfs、initramfs集成的应用程序加载器所加载的应用程序中的至少一项不合法。在另一个实现示例中,在以容器封装应用程序的情况下,安全虚拟机运行的应用程序不合法还可能是安全虚拟机加载的操作系统内核、操作系统内核加载的initramfs、initramfs集成的容器agent加载的容器中的至少一项不合法。在进一步的实现示例中,如果程序运行度量结果结合有应用程序的配置信息,也可能是应用程序加载的配置信息不合法,导致程序运行度量结果不合法。As an implementation example, the illegal security virtual machine may mean that the firmware information loaded by the secure virtual machine is illegal. In an implementation example, the illegal application run by the secure virtual machine may be at least one of the operating system kernel loaded by the secure virtual machine, the initramfs loaded by the operating system kernel, or the application loaded by the application loader integrated with initramfs. illegal. In another implementation example, when an application is encapsulated in a container, the illegal application running on the secure virtual machine may be the operating system kernel loaded by the secure virtual machine, the initramfs loaded by the operating system kernel, or the container agent integrated with initramfs. At least one item in the loaded container is illegal. In a further implementation example, if the program running measurement results are combined with the application's configuration information, it may be that the configuration information loaded by the application is illegal, causing the program running measurement results to be illegal.
需要说明的是,远程证明服务端设备可以通过设置机密计算环境的合法身份信息,以认证证明报告中的机密计算环境的身份信息是否合法;比如,通过比对机密计算环境的合法身份信息,与证明报告中的机密计算环境的身份信息是否一致,以认证证明报告中的机密计算环境的身份信息是否合法。作为可选实现,远程证明服务端设备可以设置合法的启动度量结果、以及合法的程序运行度量结果,从而通过比对合法的启动度量结果、与证明报告中的启动度量结果是否一致,以实现认证证明报告中的启动度量结果是否合法;并且,通过比对合法的程序运行度量结果、与证明报告中的程序运行度量结果是否一致,以实现认证证明报告中的程序运行度量结果是否合法。It should be noted that the remote attestation server device can set the legal identity information of the confidential computing environment to certify whether the identity information of the confidential computing environment in the report is legal; for example, by comparing the legal identity information of the confidential computing environment with Prove whether the identity information of the confidential computing environment in the report is consistent, and certify whether the identity information of the confidential computing environment in the report is legal. As an optional implementation, the remote attestation server device can set legal startup measurement results and legal program running measurement results, so as to achieve authentication by comparing the legal startup measurement results with the startup measurement results in the certification report. Verify whether the startup measurement results in the report are legal; and verify whether the legal program operation measurement results are consistent with the program operation measurement results in the certification report to verify whether the program operation measurement results in the certification report are legal.
作为可选实现,远程证明服务端设备可以基于安全虚拟机合法的固件信息,预先确定合法的启动度量结果,并配置在机密计算环境的合法身份信息列表中;同时,远程证明服务端设备可以基于应用程序合法的程序运行相关信息,预先确定合法的程序运行度量结果,并配置在机密计算环境的合法身份信息列表中。例如,远程证明服务器端设备可以基于合法的操作系统内核的信息、合法的initramfs的信息、合法的应用程序的信息等,确定合法的程序运行度量结果,并配置在机密计算环境的合法身份信息列表中。进而,在远程证明服务端设备需要认证证明报告中的启动度量结果、程序运行度量结果是否合法时,可以从合法身份信息列表中获取合法的启动度量结果和合法的程序运行度量结果进行比对。As an optional implementation, the remote attestation server device can predetermine legal startup measurement results based on the legitimate firmware information of the secure virtual machine, and configure it in the legal identity information list of the confidential computing environment; at the same time, the remote attestation server device can based on Apply legitimate program running related information, predetermine legitimate program running measurement results, and configure it in the legal identity information list of the confidential computing environment. For example, the remote attestation server-side device can determine the legitimate program running measurement results based on legitimate operating system kernel information, legitimate initramfs information, legitimate application information, etc., and configure a legal identity information list in the confidential computing environment. middle. Furthermore, when the remote certification server device needs to authenticate whether the startup measurement results and program running measurement results in the certification report are legal, the legal startup measurement results and the legal program running measurement results can be obtained from the legal identity information list for comparison.
在进一步的可选实现中,如果证明报告携带有随机数,并且证明报告被芯片的私钥签名,则远程证明服务端设备可以使用芯片的公钥(运行机密计算环境的芯片的公钥),判断证明报告是否验签通过;如果证明报告验签通过,则进一步检查证明报告携带的随机数是否与报告请求携带的随机数一致(即检查证明报告携带的随机数,是否与远程证明发起端设备发送的随机数一致),如果随机数一致,则视为证明报告是针对远程证明发起端设备所发起的报告请求而生成,从而远程证明服务端设备可以认证证明报告中的机密计算环境的身份信息是否合法。需要说明的是,如果证明报告验签未通过,或者随机数比对不一致,则取消进入认证证明报告中的机密计算环境的身份信息是否合法的步骤,即取消执行步骤S614。In a further optional implementation, if the attestation report carries a random number and the attestation report is signed by the chip's private key, the remote attestation server device can use the chip's public key (the public key of the chip running the confidential computing environment), Determine whether the certification report passes the signature verification; if the certification report passes the signature verification, further check whether the random number carried in the certification report is consistent with the random number carried in the report request (that is, check whether the random number carried in the certification report is consistent with the remote certification initiator) The random numbers sent by the device are consistent). If the random numbers are consistent, the attestation report is deemed to be generated in response to the report request initiated by the remote attestation initiating device, so that the remote attestation server device can authenticate the confidential computing environment in the attestation report. Whether the identity information is legal. It should be noted that if the signature verification of the certification report fails, or the random number comparison is inconsistent, the step of entering whether the identity information of the confidential computing environment in the certification certification report is legal is cancelled, that is, step S614 is cancelled.
在步骤S615中,远程证明服务端设备将认证结果发送给远程证明发起端设备。In step S615, the remote certification server device sends the authentication result to the remote certification initiating device.
在进一步的可选实现中,远程证明发起端设备在认证结果指示机密计算环境合法时,可以将计算数据提供给机密计算服务端设备。如果认证结果指示机密计算环境不合法,则远程证明发起端设备拒绝将计算数据提供给机密计算服务端设备;进一步的,远程证明发起端设备可以向机密计算服务端设备提供拒绝信息,并且通过拒绝信息指示:因机密计算环境不合法而拒绝提供计算数据。In a further optional implementation, the remote certification initiating device can provide the computing data to the confidential computing server device when the authentication result indicates that the confidential computing environment is legal. If the authentication result indicates that the confidential computing environment is illegal, the remote certification initiating device refuses to provide computing data to the confidential computing server device; further, the remote certification initiating device can provide rejection information to the confidential computing server device and reject the request. Informational Instructions: Computing data is withheld due to an illegal confidential computing environment.
在一些实施例中,远程证明发起端设备和远程证明服务端设备也可以相集成,例如集成为远端设备。可选的,远端设备可以通过程序形式的远端程序,以执行前文提及的远程证明发起端设备的操作流程、以及远程证明服务端设备的操作流程。In some embodiments, the remote certification initiating device and the remote certification server device can also be integrated, for example, integrated into a remote device. Optionally, the remote device can use a remote program in the form of a program to execute the aforementioned operation process of the remote certification initiating device and the operation process of the remote certification server device.
本申请实施例提供的机密计算认证方法,在以安全虚拟机为单位构建机密计算环境的情况下,可以在证明报告的机密计算环境的身份信息中携带安全虚拟机启动时的启动度量结果、安全虚拟机运行时的程序运行度量结果,从而使得机密环境认证可以在安全虚拟机的维度、以及安全虚拟机运行的应用程序的维度进行,通过认证安全虚拟机的合法性以及安全虚拟机运行的应用程序的合法性,实现机密计算环境的合法性认证,提升了机密计算认证的全面性,能够适应于计算数据的隐私计算等场景的安全性要求。The confidential computing authentication method provided by the embodiment of this application, when building a confidential computing environment with a secure virtual machine as a unit, can carry the startup measurement results and security when the secure virtual machine is started in the identity information of the confidential computing environment in the certification report. The program running measurement results when the virtual machine is running, so that the confidential environment certification can be carried out in the dimension of the secure virtual machine and the application running in the secure virtual machine, by authenticating the legality of the secure virtual machine and the application running in the secure virtual machine. The legality of the program realizes the legality certification of the confidential computing environment, improves the comprehensiveness of confidential computing certification, and can adapt to the security requirements of scenarios such as privacy computing of computing data.
本申请实施例还提供一种机密计算服务端设备,用于实现安全虚拟机的度量。作为可选实现,结合图3所示,该机密计算服务端设备可以包括:安全处理器、主机系统软件、以及安全虚拟机;Embodiments of the present application also provide a confidential computing server device for implementing measurement of secure virtual machines. As an optional implementation, as shown in Figure 3, the confidential computing server device may include: a secure processor, host system software, and a secure virtual machine;
主机系统软件,用于在安全虚拟机启动时,调用安全处理器创建安全虚拟机;以及,在安全虚拟机完成启动时,调用安全虚拟机的运行指令,以使得安全虚拟机运行;其中,安全处理器通过创建安全虚拟机,以完成安全虚拟机的启动;The host system software is used to call the security processor to create the security virtual machine when the security virtual machine is started; and, when the security virtual machine completes the startup, call the running instructions of the security virtual machine to make the security virtual machine run; wherein, security The processor completes the startup of the secure virtual machine by creating a secure virtual machine;
安全虚拟机,用于在运行过程中,加载用于运行应用程序的程序运行相关信息,并且向安全处理器发送通知命令;The security virtual machine is used to load program operation-related information used to run the application during operation, and send notification commands to the security processor;
安全处理器,用于在创建安全虚拟机的过程中,受主机系统软件的调用,对安全虚拟机进行度量,确定安全虚拟机启动时的启动度量结果;以及在安全虚拟机的运行过程中,基于安全虚拟机的通知命令,对安全虚拟机用于运行应用程序的程序运行相关信息进行度量,确定安全虚拟机运行时的程序运行度量结果;The security processor is used to measure the security virtual machine when called by the host system software during the creation of the security virtual machine, and determine the startup measurement results when the security virtual machine starts; and during the operation of the security virtual machine, Based on the notification command of the secure virtual machine, measure the program execution-related information used by the secure virtual machine to run the application, and determine the program execution measurement results when the secure virtual machine is running;
其中,所述启动度量结果和所述程序运行度量结果用于机密计算环境认证,机密计算环境以安全虚拟机为单位构建。Wherein, the startup measurement results and the program running measurement results are used for confidential computing environment authentication, and the confidential computing environment is built in units of secure virtual machines.
在度量安全虚拟机的可选实现中,安全处理器、主机系统软件、以及安全虚拟机的更为详细的介绍可以参照前文相应部分的描述,此处不再赘述。In the optional implementation of measuring the security virtual machine, a more detailed introduction to the security processor, host system software, and security virtual machine can refer to the descriptions in the corresponding sections above, and will not be repeated here.
本申请实施例还提供一种机密计算服务端设备,用于机密计算环境的认证。作为可选实现,该机密计算服务端设备可以包括:安全处理器、以及安全虚拟机;An embodiment of the present application also provides a confidential computing server device for authentication of a confidential computing environment. As an optional implementation, the confidential computing server device may include: a secure processor and a secure virtual machine;
安全虚拟机,用于接收远程证明发起端设备发送给机密计算服务端设备的报告请求,将所述报告请求转发给安全处理器;以及,接收安全处理器发送的证明报告,将证明报告发送给远程证明发起端设备,以用于认证机密计算环境的合法性;The security virtual machine is configured to receive a report request sent by the remote attestation initiating device to the confidential computing server device, and forward the report request to the security processor; and, receive the attestation report sent by the security processor, and send the attestation report to Remote attestation initiator device to authenticate the legitimacy of the confidential computing environment;
安全处理器,用于响应于所述报告请求,生成证明报告,并将安全虚拟机启动时的启动度量结果和安全虚拟机运行时的程序运行度量结果,更新到证明报告所携带的机密计算环境的身份信息中;将所述证明报告发送给所述安全虚拟机。A security processor, configured to respond to the report request, generate a certification report, and update the startup measurement results when the security virtual machine starts and the program running measurement results when the security virtual machine is running to the confidential computing environment carried in the certification report in the identity information; sending the attestation report to the secure virtual machine.
作为可选实现,所述报告请求携带有随机数;所述安全处理器,还用于将所述随机数携带在所述证明报告中,以及,在将证明报告发送给安全虚拟机之前,使用运行机密计算环境的芯片的芯片私钥,对证明报告进行签名。As an optional implementation, the report request carries a random number; the security processor is also configured to carry the random number in the certification report, and before sending the certification report to the security virtual machine, use The chip private key of the chip running the confidential computing environment that signs the attestation report.
在机密计算认证的可选实现中,安全处理器、以及安全虚拟机的更为详细的介绍可以参照前文相应部分的描述,此处不再赘述。In the optional implementation of confidential computing authentication, a more detailed introduction to the secure processor and secure virtual machine can be referred to the descriptions in the corresponding sections above, and will not be described again here.
本申请实施例还提供一种机密计算系统,结合图2所示,该机密计算系统可以包括:远程证明发起端设备、机密计算服务端设备和远程证明服务端设备;Embodiments of the present application also provide a confidential computing system. As shown in Figure 2, the confidential computing system may include: a remote certification initiating device, a confidential computing server device, and a remote certification server device;
其中,远程证明发起端设备为具有机密计算认证需求的参与角色所对应的电子设备;Among them, the remote certification initiating device is the electronic device corresponding to the participating role that has confidential computing authentication requirements;
机密计算服务端设备为机密计算服务端所对应的电子设备,机密计算服务端包括机密计算服务提供方和/或机密计算平台提供方;所述机密计算服务端设备可以被配置为执行本申请实施例提供的虚拟机度量方法,或者,被配置为执行如本申请实施例提供的机密计算认证方法;The confidential computing server device is an electronic device corresponding to the confidential computing server. The confidential computing server includes a confidential computing service provider and/or a confidential computing platform provider; the confidential computing server device can be configured to execute the implementation of this application. The virtual machine measurement method provided by the example, or configured to perform the confidential computing authentication method provided by the embodiment of the present application;
所述远程证明服务端设备为可信实体所对应的电子设备,所述远程证明服务端设备被配置为执行本申请实施例提供的机密计算认证方法。The remote certification server device is an electronic device corresponding to a trusted entity, and the remote certification server device is configured to execute the confidential computing authentication method provided by the embodiment of the present application.
需要说明的是,由机密计算服务端设备执行的虚拟机度量方法的内容,可以参照前文相应部分的描述,此处不再赘述;由机密计算服务端设备执行的机密计算认证方法的内容,可以参照前文相应部分的描述,此处不再赘述;由远程证明服务端设备执行的机密计算认证方法的内容,可以参照前文相应部分的描述,此处不再赘述。It should be noted that the content of the virtual machine measurement method executed by the confidential computing server device can be referred to the description in the corresponding section above, and will not be repeated here; the content of the confidential computing authentication method executed by the confidential computing server device can be Refer to the description in the corresponding part above, which will not be repeated here; for the content of the confidential computing authentication method executed by the remote certification server device, please refer to the description in the corresponding part above, which will not be repeated here.
本申请实施例还提供一种存储介质,该存储介质可以存储一条或多条计算机可执行指令,该一条或多条计算机可执行指令被执行时,可以实现本申请实施例提供的虚拟机度量方法,或者,本申请实施例提供的机密计算认证方法。Embodiments of the present application also provide a storage medium that can store one or more computer-executable instructions. When the one or more computer-executable instructions are executed, the virtual machine measurement method provided by the embodiments of the present application can be implemented. , or the confidential computing authentication method provided by the embodiment of this application.
上文描述了本申请实施例提供的多个实施例方案,各实施例方案介绍的各可选方式可在不冲突的情况下相互结合、交叉引用,从而延伸出多种可能的实施例方案,这些均可认为是本申请实施例披露、公开的实施例方案。The above describes multiple embodiment solutions provided by the embodiments of the present application. The optional methods introduced in each embodiment solution can be combined and cross-referenced with each other without conflict, thereby extending a variety of possible embodiment solutions. These can be considered as embodiments disclosed and disclosed in the embodiments of this application.
虽然本申请实施例披露如上,但本申请并非限定于此。任何本领域技术人员,在不脱离本申请的精神和范围内,均可作各种更动与修改,因此本申请的保护范围应当以权利要求所限定的范围为准。Although the embodiments of the present application are disclosed as above, the present application is not limited thereto. Any person skilled in the art can make various changes and modifications without departing from the spirit and scope of the present application. Therefore, the protection scope of the present application shall be subject to the scope defined by the claims.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311332315.1ACN117453343A (en) | 2023-10-13 | 2023-10-13 | Virtual machine measurement and secret calculation authentication method, device, system and storage medium |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311332315.1ACN117453343A (en) | 2023-10-13 | 2023-10-13 | Virtual machine measurement and secret calculation authentication method, device, system and storage medium |
| Publication Number | Publication Date |
|---|---|
| CN117453343Atrue CN117453343A (en) | 2024-01-26 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311332315.1APendingCN117453343A (en) | 2023-10-13 | 2023-10-13 | Virtual machine measurement and secret calculation authentication method, device, system and storage medium |
| Country | Link |
|---|---|
| CN (1) | CN117453343A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117742898A (en)* | 2024-02-20 | 2024-03-22 | 南湖实验室 | Novel confidential calculation application layer measurement method and system thereof |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102136043A (en)* | 2010-01-22 | 2011-07-27 | 中国长城计算机深圳股份有限公司 | Computer system and measuring method thereof |
| CN104216743A (en)* | 2014-08-27 | 2014-12-17 | 中国船舶重工集团公司第七0九研究所 | Method and system for maintaining start completeness of configurable virtual machine |
| CN105159744A (en)* | 2015-08-07 | 2015-12-16 | 浪潮电子信息产业股份有限公司 | Virtual machine measurement method and apparatus |
| CN111475813A (en)* | 2020-03-08 | 2020-07-31 | 苏州浪潮智能科技有限公司 | Trusted virtualization platform management system and method |
| CN115174185A (en)* | 2022-06-30 | 2022-10-11 | 中国人民解放军战略支援部队信息工程大学 | Access control method and device |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102136043A (en)* | 2010-01-22 | 2011-07-27 | 中国长城计算机深圳股份有限公司 | Computer system and measuring method thereof |
| CN104216743A (en)* | 2014-08-27 | 2014-12-17 | 中国船舶重工集团公司第七0九研究所 | Method and system for maintaining start completeness of configurable virtual machine |
| CN105159744A (en)* | 2015-08-07 | 2015-12-16 | 浪潮电子信息产业股份有限公司 | Virtual machine measurement method and apparatus |
| CN111475813A (en)* | 2020-03-08 | 2020-07-31 | 苏州浪潮智能科技有限公司 | Trusted virtualization platform management system and method |
| CN115174185A (en)* | 2022-06-30 | 2022-10-11 | 中国人民解放军战略支援部队信息工程大学 | Access control method and device |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117742898A (en)* | 2024-02-20 | 2024-03-22 | 南湖实验室 | Novel confidential calculation application layer measurement method and system thereof |
| CN117742898B (en)* | 2024-02-20 | 2024-05-31 | 南湖实验室 | Novel confidential calculation application layer measurement method and system thereof |
| Publication | Publication Date | Title |
|---|---|---|
| CN111541785B (en) | Cloud computing-based blockchain data processing method and device | |
| US10382195B2 (en) | Validating using an offload device security component | |
| US9626512B1 (en) | Validating using an offload device security component | |
| US8856544B2 (en) | System and method for providing secure virtual machines | |
| US9413538B2 (en) | Cryptographic certification of secure hosted execution environments | |
| US9288155B2 (en) | Computer system and virtual computer management method | |
| US10211985B1 (en) | Validating using an offload device security component | |
| US8171295B2 (en) | Information processing apparatus, a server apparatus, a method of an information processing apparatus, a method of a server apparatus, and an apparatus executable process | |
| US10243739B1 (en) | Validating using an offload device security component | |
| TWI598814B (en) | System and method for managing and diagnosing a computing device equipped with unified extensible firmware interface (uefi)-compliant firmware | |
| CN111382445A (en) | A Method for Providing Trusted Service by Using Trusted Execution Environment System | |
| US8918907B2 (en) | Approaches for firmware to trust an application | |
| AU2014226162A1 (en) | Configuration and verification by trusted provider | |
| JP7728083B2 (en) | Data Processing | |
| US11748520B2 (en) | Protection of a secured application in a cluster | |
| CN116680687A (en) | Data processing method, device, equipment and storage medium | |
| CN109150811B (en) | A method and device for realizing a trusted session, and a computing device | |
| CN117453343A (en) | Virtual machine measurement and secret calculation authentication method, device, system and storage medium | |
| CN118467105A (en) | Secure virtual machine starting method, related equipment and storage medium | |
| JPWO2019239101A5 (en) | ||
| HK40036312B (en) | Blockchain data processing method and device based on cloud computing | |
| HK40036312A (en) | Blockchain data processing method and device based on cloud computing | |
| CN118467106A (en) | Secure virtual machine debugging method, related equipment and storage medium | |
| CN118519721A (en) | Secure virtual machine starting method, related equipment and storage medium | |
| CN118550646A (en) | Secure virtual machine measurement method, related equipment and storage medium |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |